Fix DN conversion when reading certificate issuer

drwetter · drwetter · commit b573a4f7867f · 2026-04-20T18:09:36.000+02:00
This fixes #3003 . The conversion to proper UTF-8 should have taken place by just using `-nameopt RFC2253`, see manpage openssl-namedisplay-options(1ssl). As @dcooper16 suggested removing esc_msb should help. This may look counterintuitive but works.
diff --git a/testssl.sh b/testssl.sh
@@ -22888,7 +22888,7 @@ print_dn() {
      fi
      # Use the LDAP String Representation of Distinguished Names (RFC 2253),
      # The current specification is in RFC 4514.
-     name="$(hex2binary "$cert" | $OPENSSL x509 -issuer -noout -inform DER -nameopt RFC2253 2>/dev/null)"
+     name="$(hex2binary "$cert" | $OPENSSL x509 -issuer -noout -inform DER -nameopt RFC2253,-esc_msb 2>/dev/null)"
      name="${name#issuer=}"
      tm_out "$(strip_leading_space "$name")"
      return 0
