Home / server / Questions / 587662
In Process
Dustin Oprea
Asked: 2014-04-09 21:05:27 +0800 CST

OpenSSL always shows "unsupported" for all subjectAltName "otherName" UTF8 values

  • 772

It seems like OpenSSL is broken when trying to read back subjectAltName/otherName/UTF8 values that were written by itself:

The relevant openssl.cnf configuration (using an official but random OID):

[alt_names]
DNS.1   = www.foo.com
DNS.2   = www.bar.org
IP.1    = 192.168.1.1
IP.2    = 192.168.69.144
email = email@me

otherName = 1.3.6.1.4.1.1;UTF8:some other identifier

A sample from the dump of a CSR generated from this config:

            TLS Web Server Authentication
        X509v3 Subject Alternative Name: 
            DNS:www.foo.com, DNS:www.bar.org, IP Address:192.168.1.1, IP Address:192.168.69.144, email:email@me, othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
    6f:4a:1d:8f:43:7e:4d:d1:0c:7e:05:9d:1f:f0:98:b1:69:cf:

Can someone indicate whether I'm doing something wrong? This is driving me nuts.

ssl

2 Answers

  1. FYI, you will have to locate the "OCTET STRING" line just below the "OBJECT :X509v3 Subject Alternative Name" line then strparse:

    # print section offset via
openssl asn1parse -in yourcert.pem
# parse otherName from "OCTET STRING" 
openssl asn1parse -in yourcert.pem -strparse <offset>
    • 5

  2. Probably still unsupported. Try asn1parse.

    The <unsupported> output was the regular result in 2010. My guess: this is still the case.

    An OpenSSL dev said this on the mailing list (Archived here.):

    Steven Hensen, 2010-01-02:

    Currently OpenSSL doesn't display any otherName values. It can't know the precise meaning of that field in general because the format could be totally arbitrary. At best it could asn1parse the contents.

    And if you use openssl asn1parse on the file to find the offset of the :X509v3 Subject Alternative Name section and then use the -strparse option with that offset, then otherName will in fact be displayed.

    • 3