Author: otmar
CAcert has tried for some time to provide free X.509 certificates based on automatic checks and a web of trust. They never managed to get the root certificate included in the default installations of the major browsers. As I read it, they’ve given up on Mozilla for now.
Aaron forwarded me a link to a blog post by StartCom where they announce that their CA will be included in IE soon. As they are already recognized by Mozilla and Safari, their certs are pretty much as good as any other commercial x.509 cert for servers.
In that respect, they are not unique, you can buy commercial grade certs from various sources, the most popular being Thawte, Equifax, Usertrust, Comodo, and Verisign.
What makes StartCom special is the fact that they give away free certificates similar to what CAcert is doing. Their enrollment at http://www.startssl.com/ is pretty much straight forward and getting certificates (both by uploading CSRs or by letting them generate a key) is painless.
Furthermore, they impressed me by:
- Adding priv.at as a valid domain suffix within a few hour after I mailed them.
- Checking the server for which you requested a cert and giving you hints if you made a configuration mistake.
Recommended.
Bumped to top due to updates.
For my current project I look at a lot of X.509 certificates using Dan Sully’s Crypt::OpenSSL:X509 Perl module. I’m not using the version from CPAN, but his current codebase straight from his git repository.
While trying to store information about certs in a PostgreSQL DB which is set to UTF-8 strings, I encountered errors. Some debugging later I found that some of the certs had Umlauts in the subject field. The XS code from Crypt::OpenSSL:X509 wasn’t UTF-8 aware, causing automatic down-conversion to ISO-8859-1, which produced illegal byte sequence when parsed as UTF-8.
After some cursing and debugging I came up with this patch:
--- ../dsully-perl-crypt-openssl-x509/X509.xs 2009-03-06 22:22:44.000000000 +0100
+++ X509.xs 2009-08-17 14:46:00.000000000 +0200
@@ -73,6 +73,15 @@
return sv;
}
+static SV* sv_bio_utf8_on(BIO *bio) {
+
+ SV* sv;
+ sv = (SV *)BIO_get_callback_arg(bio);
+ SvUTF8_on(sv);
+ return sv;
+}
+
+
/*
static void sv_bio_error(BIO *bio) {
@@ -293,8 +302,10 @@
name = X509_get_issuer_name(x509);
}
+ /* this need not be pure ascii, try to get a native perl character string with utf8 */
+ sv_bio_utf8_on(bio);
/* this is prefered over X509_NAME_oneline() */
- X509_NAME_print_ex(bio, name, 0, XN_FLAG_SEP_CPLUS_SPC);
+ X509_NAME_print_ex(bio, name, 0, (XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT) & ~ASN1_STRFLGS_ESC_MSB);
} else if (ix == 3) {
@@ -799,7 +810,8 @@
n = OBJ_nid2sn(nid);
}
BIO_printf(bio, "%s=", n);
- ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(name_entry));
+ sv_bio_utf8_on(bio);
+ ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(name_entry),ASN1_STRFLGS_UTF8_CONVERT & ~ASN1_STRFLGS_ESC_MSB);
RETVAL = sv_bio_final(bio);
OUTPUT:
Basically, this just tells the openssl library to output UTF-8 and the perl core that the new strings are encoded in UTF-8.
This might be overkill in the cases where it’s not actually needed, but it should do no harm.
Update: My patch is now in the git repository.
Update2: Life is not that easy. Looking at more X.509 certs in the wild shows that openssl does not check whether it returns a valid UTF8 string. So stay tuned for additional patches in Dan’s git repository.
Update3: My patches are now integrated in the git version.
This one had more parallel tracks than the recent ones. Came out pretty well, though. The long bridge in the middle didn’t last long, though.
While messing around with X.509 certificates I not only encountered Umlauts, but Extended Validation Certificates as well. All nice and dandy, but these contain special OIDs in the subject field which openssl does not know the name.
Googling around I found a few references to their names, but no definitive source (especially for a short-name).
Anyway, the OIDs in question are under 1.3.6.1.4.1.311.60.2.1. So who is responsible for that OID tree? First step IANA, where we find the OID registry, which tells us:
SMI Private Enterprise Codes: Prefix: iso.org.dod.internet.private.enterprise (1.3.6.1.4.1) See http://www.iana.org/assignments/enterprise-numbers
which I do and where I find that enterprise-number 311 was assigned to Microsoft. They have a nice knowledge-base article which lists some Object IDs, but no information on the subtree ’60’.
So dear Redmond, what about an update to that page?
Back from the summer vacation, Clemens demanded that we build some tracks. I obliged and he is now really pushing a train along the tracks.
Categories
What’s wrong with Speermint and Drinks
Ken recently expressed doubts about the direction drinks is taking.
During a train ride last week I composed the following reply:
Categories
Scaremongering with graphs
Newspapers often enough publish graphs which give wrong impressions on what the numbers behind the diagram actually mean. The usual culprit is a y-axis which does not start with 0, thus visually inflating any trend/changes in the data.
This week I stumbled upon something else:
The article was all about “Do we have to expect more extreme weather in the future thanks to global warming?”. The expert they interviewed kind of rejected the premise that we can deduce anything from one year’s weather. But they wanted to have a scary graph in the article, so they came up with this one.
So what’s wrong? If you compare the temperature and precipitation graphs of one year with the long-term averages, then it’s almost a given that the current year will look more extreme than the averages.
The comparison might make sense if you argue that 2009 is colder/warmer/wetter/dryer than the average year, but for comparing weather variance, this is completely worthless.
Categories
Fun with RT Scrips
This might be of broader interest to users or RT:
I recently hacked up a small Scrip that tries to merge new tickets generated by mail bounces into the original ticket.
This is similar to what RtBounceHandler is doing, just that it’s implemented as a scrip and not as an external program which runs on incoming mail.
I’ve added my code to the RT wiki.