Bug ID 607410: In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
13.0.0, 12.1.4.1

Opened: Jul 27, 2016
Severity: 3-Major
Related Article:
K81239824

Symptoms

When using an iRule to output X509 Certificate's subject and issuer, the display is not OpenSSL compatible.

Impact

The BIG-IP system fails to produce properly-formatted certificate information. If logged, it may display incorrectly-parsed attributes similar to the following: -- In prior versions without the fix the format is: CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US -- In versions with the fix the format now requires spaces between these attributes: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME

Conditions

Using iRule command 'X509::subject' and 'X509::issuer' to get the Cert's subject and issuer.

Workaround

None.

Fix Information

In the iRule output of X509 Certificate's subject and issuer, the system now outputs the information in a format that is 'OpenSSL X509' compatible.

Behavior Change

In this release the order of output is reversed for the X509::subject as compared to previous versions. This change was done to make the output of [X509::subject [SSL::cert 0]] OpenSSL-compatible. -- In prior versions without the fix the format is: CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US -- In versions with the fix the format now requires spaces between these attributes: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME IMPORTANT: Depending on iRules you have configured, this change might impact application functionality that depends on the old format. If your application expects the output X509::subject to be in the old format, make sure to modify the iRules after upgrading. To use the new format in any iRules that use the old structure, change the output format of the X.509 certificate subject to use this format: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME Additional note: Comma (,) is a valid character in X509::subject. In this release, the escaping method has changed. -- In prior versions, the subject string returned by X509::subject escapes comma with backslash (\): Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: CN=user8,OU=DEPT,O=COMPANY\,,L=Tokyo,ST=Tokyo,C=JP When writing an iRule to validate the string, comma is already escaped by the backslash, but backslash should be escaped by another backslash as follows: set dn_validation "OU=DEPT,O=COMPANY\\,,L=Tokyo" -- In versions with the fix, the subject string returned by X509::subject wraps attributes with double quotation marks (""). Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: C=JP, ST=Tokyo, L=Tokyo, O="COMPANY,", OU=DEPT, CN=user8 When writing an iRule to validate the string, the whole attribute should be enclosed with double quotation marks, and each double quotation mark should be escaped by a backslash: set dn_validation "L=Tokyo, O=\"COMPANY,\", OU=DEPT"