From afaf2a6f6c8f86ca42018d8cb536b803ad896767 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 20 Apr 2023 18:29:08 +0000
Subject: Flip the default of explicitText to UTF8String

While it may have been reasonable to use VisibleString back when this
code was written, it's an anachronism nowadays. In particular, configuring
BoringSSL reports that they have seen malformed certificates with exactly
the issue caused by this unfortuante default.

Reported by Alex Gaynor in OpenSSL issue 20772

ok jsing
---
 src/lib/libcrypto/x509/x509_cpols.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index 3f106c691d..af8f16c9b0 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.7 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.8 2023/04/20 18:29:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -594,7 +594,7 @@ notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org)
 		cnf = sk_CONF_VALUE_value(unot, i);
 		if (!strcmp(cnf->name, "explicitText")) {
 			if (not->exptext == NULL) {
-				not->exptext = ASN1_VISIBLESTRING_new();
+				not->exptext = ASN1_UTF8STRING_new();
 				if (not->exptext == NULL)
 					goto merr;
 			}
-- 
cgit v1.2.3-55-g6feb