Closed DDvO closed 3 years ago
Meanwhile I've learned via https://github.com/openssl/openssl/issues/12765 that the order of RDNs actually does matter. Just within - very rarely used - multi-valued RDNs the order of values is not relevant. So closing this as invalid (not a bug).
Due to an implicit limitation of the OpenSSL function
X509_NAME_cmp
used in particular for matching the expected and actual sender name of a CMP response, DNs do not match if their components are not in the same order, yielding an error likeA workaround is to explicitly set the expected sender name like this:
As a real solution we may ask OpenSSL to generalize their function or generalize it ourselves.