Behavior Change

In this release the order of output is reversed for the X509::subject as compared to previous versions. This change was done to make the output of [X509::subject [SSL::cert 0]] OpenSSL-compatible. -- In prior versions without the fix the format is: CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US -- In versions with the fix the format now requires spaces between these attributes: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME IMPORTANT: Depending on iRules you have configured, this change might impact application functionality that depends on the old format. If your application expects the output X509::subject to be in the old format, make sure to modify the iRules after upgrading. To use the new format in any iRules that use the old structure, change the output format of the X.509 certificate subject to use this format: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME Additional note: Comma (,) is a valid character in X509::subject. In this release, the escaping method has changed. -- In prior versions, the subject string returned by X509::subject escapes comma with backslash (\): Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: CN=user8,OU=DEPT,O=COMPANY\,,L=Tokyo,ST=Tokyo,C=JP When writing an iRule to validate the string, comma is already escaped by the backslash, but backslash should be escaped by another backslash as follows: set dn_validation "OU=DEPT,O=COMPANY\\,,L=Tokyo" -- In versions with the fix, the subject string returned by X509::subject wraps attributes with double quotation marks (""). Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: C=JP, ST=Tokyo, L=Tokyo, O="COMPANY,", OU=DEPT, CN=user8 When writing an iRule to validate the string, the whole attribute should be enclosed with double quotation marks, and each double quotation mark should be escaped by a backslash: set dn_validation "L=Tokyo, O=\"COMPANY,\", OU=DEPT"