Escaping of extensions in x509 -textΒ #1171
Description
OpenSSL has a longstanding bug where x509 -text does not escape characters in various extensions. (I think there may be multiple code paths for known vs unknown extensions.)
The same appears to affect LibreSSL. To reproduce, either use the cert from the OpenSSL bug (with S/MIME extensions) or make a cert with openssl like so (note you'll have to use OpenSSL itself, LibreSSL has stronger default validations on creation it seems, it does output the escape character in the error, but I'm not too worried by that, as that's just a user hurting themselves, not usually untrusted input).
$ openssl req -x509 -newkey rsa -sha256 -days 1 -nodes -keyout example.key -subj "/CN=example.com" -addext "subjectAltName=DNS:$(printf "\e")[31m.example.com" -out example.crt
Then with openssl from LibreSSL:
$ openssl x509 -text -in example.crt
The rest of the cert and maybe your shell (depending if you have a color prompt) goes red. This bug was covered at Nullcon Goa 2025 in a talk by @wllm-rbnt, credit for looking into this (note OpenSSL had a temporary regression where also the CN wasn't escaped, I don't see any issues like that on LibreSSL).