From b573a4f7867f458073e77eaf5ff085a59b174782 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Mon, 20 Apr 2026 18:09:36 +0200
Subject: [PATCH] Fix DN conversion when reading certificate issuer

This fixes #3003 .

The conversion to proper UTF-8 should have taken place by just using
`-nameopt RFC2253`, see manpage openssl-namedisplay-options(1ssl).

As @dcooper16 suggested removing esc_msb should help. This may look
counterintuitive but works.
---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 00325f5..3592485 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -22888,7 +22888,7 @@ print_dn() {
      fi
      # Use the LDAP String Representation of Distinguished Names (RFC 2253),
      # The current specification is in RFC 4514.
-     name="$(hex2binary "$cert" | $OPENSSL x509 -issuer -noout -inform DER -nameopt RFC2253 2>/dev/null)"
+     name="$(hex2binary "$cert" | $OPENSSL x509 -issuer -noout -inform DER -nameopt RFC2253,-esc_msb 2>/dev/null)"
      name="${name#issuer=}"
      tm_out "$(strip_leading_space "$name")"
      return 0