On Wed, 2022-01-26 at 15:59 -0800, Andres Freund wrote:
> > > Do we have a testcase for embedded NULLs in common names?
> >
> > We don't, neither for OpenSSL or NSS. AFAICR Jacob spent days trying to get a
> > certificate generation to include an embedded NULL byte but in the end gave up.
> > We would have to write our own tools for generating certificates to add that
> > (which may or may not be a bad idea, but it hasn't been done).
>
> Hah, that's interesting.
Yeah, OpenSSL just refused to do it, with any method I could find at
least. My personal test suite is using pyca/cryptography and psycopg2
to cover that case.
--Jacob