SSL DN variable unicode handling
mdounin at mdounin.ru
Mon Feb 13 16:01:19 UTC 2017
On Mon, Feb 13, 2017 at 10:19:36AM -0500, Alex Addy wrote:
> While testing the new $ssl_client_s_dn variable (as of 1.11.6) I discovered
> that it doesn't handle unicode characters correctly, Say if I had a user
> cert with a DN of 'CN=доверенная третья сторона' after going through nginx
> it becomes 'CN=\D0\B4\D0\BE\D0\B2\D0\B5\D1\80\D0\B5\D0\BD\D0\BD\D0\B0\D1\8F
> This is not very helpful and unicode support here is the only thing
> preventing our project from using nginx. We are currently using httpd as it
> handles this case in a more friendly way, but would like to move away from
> Is there something I can set to fix this? Is this a bug or is it working as
This is intended.
To produce the $ssl_client_s_dn variable nginx uses the
X509_NAME_print_ex() function with the XN_FLAG_RFC2253 flag. It
doesn't try to preserve multibyte characters unescaped (it is
possible by unsetting the ASN1_STRFLGS_ESC_MSB flag), as it is
unknown if the variable will be used in an UTF-8-friendly
environment or not.
Note well that the form with escaped multibyte characters is
correct as per RFC 4514 (and RFC 2253), as RFC 4514 allows
escaping of any characters. Any complaint software can properly
parse the resulting string to the original DN.
If you need a variable with multibyte characters unescaped for
some reason, it might be a good idea to elaborate what are you
trying to do. May be someone will be able to suggest a better /
alternative way to do this.
More information about the nginx