Remove the "msie-hack" option from openssl ca

This has been documented as a deprecated option for
a long time, as we are not even certain this does what
was originally intended anymore, as it has no tests and
it's time of usefulness has long since past.

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 10:09:33 2026
(Merged from https://github.com/openssl/openssl/pull/30033)

diff --git a/CHANGES.md b/CHANGES.md
index 9c426dca397259490231b4dfea7ac22bff1c8238..a7a7e8a81fedbbaf823a31189aaa1dd9102bfc63 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -270,6 +270,10 @@ OpenSSL 4.0
 
    *Barry Fussell and Helen Zhang*
 
+ * The deprecated "msie-hack" option was removed from the "openssl ca" command.
+
+   *Bob Beck*
+
  * Implemented RFC7919, adding support for negotiated FFDHE key exchange
    in TLS 1.2.
 

diff --git a/apps/ca.c b/apps/ca.c
index 06dc483c7bfcc925354c806a79f2f62422b948a8..bb83fe8161f2765632115bf4438931d9357ab1f4 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -70,7 +70,6 @@
 #define ENV_POLICY "policy"
 #define ENV_EXTENSIONS "x509_extensions"
 #define ENV_CRLEXT "crl_extensions"
-#define ENV_MSIE_HACK "msie_hack"
 #define ENV_NAMEOPT "name_opt"
 #define ENV_CERTOPT "cert_opt"
 #define ENV_EXTCOPY "copy_extensions"
@@ -141,7 +140,6 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
 
 static CONF *extfile_conf = NULL;
 static int preserve = 0;
-static int msie_hack = 0;
 
 typedef enum OPTION_choice {
     OPT_COMMON,
@@ -176,7 +174,6 @@ typedef enum OPTION_choice {
     OPT_PRESERVEDN,
     OPT_NOEMAILDN,
     OPT_GENCRL,
-    OPT_MSIE_HACK,
     OPT_CRL_LASTUPDATE,
     OPT_CRL_NEXTUPDATE,
     OPT_CRLDAYS,
@@ -221,8 +218,6 @@ const OPTIONS ca_options[] = {
     { "dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822." },
     { "notext", OPT_NOTEXT, '-', "Do not print the generated certificate" },
     { "batch", OPT_BATCH, '-', "Don't ask questions" },
-    { "msie_hack", OPT_MSIE_HACK, '-',
-        "msie modifications to handle all Universal Strings" },
     { "ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign" },
     { "spkac", OPT_SPKAC, '<',
         "File contains DN and signed public key and challenge" },
@@ -480,9 +475,6 @@ int ca_main(int argc, char **argv)
         case OPT_GENCRL:
             gencrl = 1;
             break;
-        case OPT_MSIE_HACK:
-            msie_hack = 1;
-            break;
         case OPT_CRL_LASTUPDATE:
             crl_lastupdate = opt_arg();
             break;
@@ -656,9 +648,6 @@ end_of_options:
     f = app_conf_try_string(conf, BASE_SECTION, ENV_PRESERVE);
     if (f != NULL && (*f == 'y' || *f == 'Y'))
         preserve = 1;
-    f = app_conf_try_string(conf, BASE_SECTION, ENV_MSIE_HACK);
-    if (f != NULL && (*f == 'y' || *f == 'Y'))
-        msie_hack = 1;
 
     f = app_conf_try_string(conf, section, ENV_NAMEOPT);
     if (f != NULL) {
@@ -1524,20 +1513,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         obj = X509_NAME_ENTRY_get_object(ne);
         nid = OBJ_obj2nid(obj);
 
-        if (msie_hack) {
-            /* assume all type should be strings */
-
-            if (str->type == V_ASN1_UNIVERSALSTRING)
-                ASN1_UNIVERSALSTRING_to_string(str);
-
-            if (str->type == V_ASN1_IA5STRING && nid != NID_pkcs9_emailAddress)
-                str->type = V_ASN1_T61STRING;
-
-            if (nid == NID_pkcs9_emailAddress
-                && str->type == V_ASN1_PRINTABLESTRING)
-                str->type = V_ASN1_IA5STRING;
-        }
-
         /* If no EMAIL is wanted in the subject */
         if (nid == NID_pkcs9_emailAddress && !email_dn)
             continue;

diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 33bc11a4319d90fdf9faee5ae43c2ed4aaf6c9b0..a499dcc7bfd12a7652059d1d3228f274fc20f95d 100644 (file)
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -55,7 +55,6 @@ B<openssl> B<ca>
 [B<-preserveDN>]
 [B<-noemailDN>]
 [B<-batch>]
-[B<-msie_hack>]
 [B<-extensions> I<section>]
 [B<-extfile> I<section>]
 [B<-subj> I<arg>]
@@ -270,13 +269,6 @@ the configuration file which decides which fields should be mandatory
 or match the CA certificate. Check out the B<POLICY FORMAT> section
 for more information.
 
-=item B<-msie_hack>
-
-This is a deprecated option to make this command work with very old versions
-of the IE certificate enrollment control "certenr3". It used UniversalStrings
-for almost everything. Since the old control has various security bugs
-its use is strongly discouraged.
-
 =item B<-preserveDN>
 
 Normally the DN order of a certificate is the same as the order of the
@@ -850,6 +842,8 @@ and key identifier extensions are included by default.
 
 The B<-engine> option was removed in OpenSSL 4.0.
 
+The B<-msie-hack> option was removed in OpenSSL 4.0.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,