Suggestion - & should be a valid char in root/host certificates organization name

Special characters are not allowed in organization name when generating root/host certificates. But ‘&’ is present in a lot of organization names. Why is this character not supported. It is certainly in the basic ASCII character set

because when the ovpnmain.cgi code was originally written the Organisation Name was written to only allow Lower and Upper case letters, numbers, space, comma, full stop, - and _ and nobody has flagged up that it was insufficient till now.

The use of an & in an Organisations Name seems very reasonable (eg Thomas & Sons)
I would suggest that you flag it up as a bug in the IPFire bugzilla

https://bugzilla.ipfire.org/
https://wiki.ipfire.org/devel/bugzilla

Your IPFire Community email address and password credentials also work for logging in to the IPFire Bugzilla.

It would be good if you also could think about any other special characters that ought to be present for the Organisation Name or other entries. I note that the City entry would not allow Münich because of the umlaut on the letter u.

1 Like

According to RFC 5280 ( for example ) Organization Name must be a PrintableString which doesn’t include ‘&’.
Maybe I’m wrong with the citation, but the restriction is surely from a similiar regulation.

1 Like

Starting with version 2.0-beta12, OpenVPN has adopted a consistent approach to string remapping to prevent trusted or semi-trusted peers from sending maliciously crafted strings. The details are discussed in the String Types and Remapping section of the man page.


String Types and Remapping

In certain cases, OpenVPN will perform remapping of characters in strings. Essentially, any characters outside the set of permitted characters for each string type will be converted to underbar (’_’).

Q: Why is string remapping necessary?

A: It’s an important security feature to prevent the malicious coding of strings from untrusted sources to be passed as parameters to scripts, saved in the environment, used as a common name, translated to a filename, etc.

Q: Can string remapping be disabled?

A: Yes, by using the –no-name-remapping option, however this should be considered an advanced option.

Here is a brief rundown of OpenVPN’s current string types and the permitted character class for each string:

X509 Names: Alphanumeric, underbar (’_’), dash (’-’), dot (’.’), at (’@’), colon (’:’), slash (’/’), and equal (’=’). Alphanumeric is defined as a character which will cause the C library isalnum() function to return true.

Common Names: Alphanumeric, underbar (’_’), dash (’-’), dot (’.’), and at (’@’).

–auth-user-pass username: Same as Common Name, with one exception: starting with OpenVPN 2.0.1, the username is passed to the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, without string remapping.

–auth-user-pass password: Any “printable” character except CR or LF. Printable is defined to be a character which will cause the C library isprint() function to return true.

–client-config-dir filename as derived from common name or username: Alphanumeric, underbar (’_’), dash (’-’), and dot (’.’) except for “.” or “…” as standalone strings. As of v2.0.1-rc6, the at (’@’) character has been added as well for compatibility with the common name character class.

Environmental variable names: Alphanumeric or underbar (’_’).

Environmental variable values: Any printable character.

For all cases, characters in a string which are not members of the legal character class for that string type will be remapped to underbar (’_’).

1 Like

That OpenVPN document only references X509 and Common Names, which I can understand. It does not mention the Organisation Name at all.

@bbitsch is correct that RFC5280 does define a character set for the Organisation Name that does not include @ or & but the Organisation Name can also be left blank as it is optional.

For some SSL certificates being purchased I have seen that the requirement is for the Legally Valid Company Name to be used for the Organisation Name bit for some IT Companies but if that name used an @ or & you would not be able to enter it.

Also at the end of the day, as far as I can see within IPFire the Organisation Name, Organisation Unit and City are all optional and can be left blank and are never used again in any SSL or OpenVPN activity.

RFC 5280 was written in 2008 and maybe then the use of @'s in Company Names was not usual but certainly in the UK the & in Company Names has been used for centuries with & Sons or & Family being very common.

I don’t have a particular view either way. We can leave it as it is and people can just leave the Organisation Name blank or they can make up a name, which is what I do for my entries, or we can add some additional characters.

2 Likes

Just to test, I ran openssl to create a certificate and I used the characters @&% in the Organisation, Organisational Unit and Locality and the self signed certificate was created without any issues. So openssl itself does no checking that the character set is the allowed one per the RFC.

3 Likes