New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

set string mask utf8only #234

Merged
merged 3 commits into from Apr 15, 2015

Conversation

Projects
None yet
5 participants
@reaperhulk
Member

reaperhulk commented Apr 15, 2015

replaces #115

Spindel added some commits May 31, 2014

Set the string-mask to utf8only
If subject had utf-8 characters in them, the encoding chosen by OpenSSL for
defaults T61.

From the OpenSSL source code:
	 * utf8only : only use UTF8Strings (RFC2459 recommendation for 2004).

That was 10 years ago, and the last remnant that had problems with it
was Netscape, which is no longer a problem.

A request changes from:
   13:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   18:d=5  hl=2 l=   9 prim: T61STRING         :Gurka ���

To:
   13:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   18:d=5  hl=2 l=  12 prim: UTF8STRING        :Gurka åäö

OpenSSL/test/test_crypto.py
	Update test DER data to have utf8string.
	( \x0c instead of \0x13, PrintableString )
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 349e136 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

2 similar comments
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 349e136 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 349e136 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling 349e136 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

1 similar comment
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling 349e136 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@alex

This comment has been minimized.

Member

alex commented Apr 15, 2015

If this has been the default for forever, why do we need to set the global state?

@Spindel

This comment has been minimized.

Contributor

Spindel commented Apr 15, 2015

It was only default in the openssl config file. Utf8 was made default in august last year inside the openssl library. But not on all branches.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.01%) to 94.87% when pulling 3956ea4 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

2 similar comments
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.01%) to 94.87% when pulling 3956ea4 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.01%) to 94.87% when pulling 3956ea4 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling 3956ea4 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

2 similar comments
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling 3956ea4 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling 3956ea4 on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@reaperhulk reaperhulk force-pushed the reaperhulk:utf8-time branch from 3956ea4 to 7f3009b Apr 15, 2015

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 7f3009b on reaperhulk:utf8-time into 0959cb6 on pyca:master.

4 similar comments
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 7f3009b on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 7f3009b on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 7f3009b on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+0.0%) to 92.85% when pulling 7f3009b on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling 7f3009b on reaperhulk:utf8-time into 0959cb6 on pyca:master.

1 similar comment
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling 7f3009b on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@hynek

This comment has been minimized.

Contributor

hynek commented Apr 15, 2015

@alex it has been explained to me that the current default simply garbles strings.

@reaperhulk I feel like we should add a doc about how to re-instantiate the default behavior?

@reaperhulk

This comment has been minimized.

Member

reaperhulk commented Apr 15, 2015

We could I suppose, but where should that live?

@reaperhulk reaperhulk force-pushed the reaperhulk:utf8-time branch from 7f3009b to fdca95d Apr 15, 2015

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling fdca95d on reaperhulk:utf8-time into 0959cb6 on pyca:master.

1 similar comment
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling fdca95d on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling fdca95d on reaperhulk:utf8-time into 0959cb6 on pyca:master.

3 similar comments
@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling fdca95d on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling fdca95d on reaperhulk:utf8-time into 0959cb6 on pyca:master.

@coveralls

This comment has been minimized.

coveralls commented Apr 15, 2015

Coverage Status

Coverage increased (+2.37%) to 95.22% when pulling fdca95d on reaperhulk:utf8-time into 0959cb6 on pyca:master.

hynek added a commit that referenced this pull request Apr 15, 2015

Merge pull request #234 from reaperhulk/utf8-time
set string mask utf8only

@hynek hynek merged commit fa0a04b into pyca:master Apr 15, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@reaperhulk reaperhulk deleted the reaperhulk:utf8-time branch Mar 11, 2016

jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Apr 20, 2016

leot
Update security/py-OpenSSL to 16.0.0.
Changes:
16.0.0 (2016-03-19)
-------------------
This is the first release under full stewardship of PyCA.
We have made *many* changes to make local development more pleasing.
The test suite now passes both on Linux and OS X with OpenSSL 0.9.8,
1.0.1, and 1.0.2.  It has been moved to `py.test <https://pytest.org/>`_,
all CI test runs are part of `tox <https://testrun.org/tox/>`_ and
the source code has been made fully `flake8
<https://flake8.readthedocs.org/>`_ compliant.

We hope to have lowered the barrier for contributions significantly
but are open to hear about any remaining frustrations.

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Python 3.2 support has been dropped.
  It never had significant real world usage and has been dropped
  by our main dependency ``cryptography``.  Affected users should
  upgrade to Python 3.3 or later.

Deprecations:
^^^^^^^^^^^^^
- The support for EGD has been removed.
  The only affected function ``OpenSSL.rand.egd()`` now uses
  ``os.urandom()`` to seed the internal PRNG instead.  Please see
  `pyca/cryptography#1636
  <https://github.com/pyca/cryptography/pull/1636>`_ for more
  background information on this decision.  In accordance with our
  backward compatibility policy ``OpenSSL.rand.egd()`` will be
  *removed* no sooner than a year from the release of 16.0.0.
  Please note that you should `use urandom
  <http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_
  for all your secure random number needs.
- Python 2.6 support has been deprecated.
  Our main dependency ``cryptography`` deprecated 2.6 in version
  0.9 (2015-05-14) with no time table for actually dropping it.
  pyOpenSSL will drop Python 2.6 support once ``cryptography``
  does.

Changes:
^^^^^^^^
- Fixed ``OpenSSL.SSL.Context.set_session_id``,
  ``OpenSSL.SSL.Connection.renegotiate``,
  ``OpenSSL.SSL.Connection.renegotiate_pending``, and
  ``OpenSSL.SSL.Context.load_client_ca``.
  They were lacking an implementation since 0.14.  `#422
  <https://github.com/pyca/pyopenssl/pull/422>`_
- Fixed segmentation fault when using keys larger than 4096-bit to sign data.
  `#428 <https://github.com/pyca/pyopenssl/pull/428>`_
- Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()``
  was called before setting any app data.
  `#304 <https://github.com/pyca/pyopenssl/pull/304>`_
- Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey``
  objects that represent public keys, and ``OpenSSL.crypto.load_publickey()``
  to load such objects from serialized representations.
  `#382 <https://github.com/pyca/pyopenssl/pull/382>`_
- Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation
  list out to a string buffer.
  `#368 <https://github.com/pyca/pyopenssl/pull/368>`_
- Added ``OpenSSL.SSL.Connection.get_state_string()`` using the
  OpenSSL binding ``state_string_long``.
  `#358 <https://github.com/pyca/pyopenssl/pull/358>`_
- Added support for the ``socket.MSG_PEEK`` flag to
  ``OpenSSL.SSL.Connection.recv()`` and
  ``OpenSSL.SSL.Connection.recv_into()``.
  `#294 <https://github.com/pyca/pyopenssl/pull/294>`_
- Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and
  ``OpenSSL.SSL.Connection.get_protocol_version_name()``.
  `#244 <https://github.com/pyca/pyopenssl/pull/244>`_
- Switched to ``utf8string`` mask by default.
  OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8
  characters present.  This was changed to default to ``UTF8String``
  in the config around 2005, but the actual code didn't change it
  until late last year.  This will default us to the setting that
  actually works.  To revert this you can call
  ``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``.
  `#234 <https://github.com/pyca/pyopenssl/pull/234>`_
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment