projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 270da80)
Change openssl.cnf to use UTF8Strings by default and not always include issuer
authorDr. Stephen Henson <steve@openssl.org>
Fri, 16 Sep 2005 11:58:28 +0000 (11:58 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 16 Sep 2005 11:58:28 +0000 (11:58 +0000)
and serial versions of AKID.

apps/openssl.cnf patch | blob | history

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 04710f87d57785d714a49e7305a9ba383defc10e..f58a30af432976499d3cf39c8b6557341e8e0eac 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -110,13 +110,12 @@ x509_extensions   = v3_ca # The extentions to add to the self signed cert
 
 # This sets a mask for permitted string types. There are several options. 
 # default: PrintableString, T61String, BMPString.
-# pkix  : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
+# pkix  : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
 
 # req_extensions = v3_req # The extensions to add to a certificate request
 
@@ -188,7 +187,7 @@ nsComment                   = "OpenSSL Generated Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
Unnamed repository; edit this file 'description' to name the repository.