From 1a00cd98daa8c1ca06081f9691d999a0484f7b76 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Wed, 22 Apr 2026 22:07:45 +0200
Subject: [PATCH] Fix DN conversion when reading certificate issuer (3.2)

This fixes #3003 for 3.2 .

The conversion to proper UTF-8 should have taken place by just using -nameopt RFC2253, see manpage openssl-namedisplay-options(1ssl).
As @dcooper16 suggested removing esc_msb should help. This may look counterintuitive but works.
---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 83bbd9777..9f6e18ee2 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -22416,7 +22416,7 @@ print_dn() {
      fi
      # Use the LDAP String Representation of Distinguished Names (RFC 2253),
      # The current specification is in RFC 4514.
-     name="$(hex2binary "$cert" | $OPENSSL x509 -issuer -noout -inform DER -nameopt RFC2253 2>/dev/null)"
+     name="$(hex2binary "$cert" | $OPENSSL x509 -issuer -noout -inform DER -nameopt RFC2253,-esc_msb 2>/dev/null)"
      name="${name#issuer=}"
      tm_out "$(strip_leading_space "$name")"
      return 0