Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
13.0.0, 12.1.4.1
Opened: Jul 27, 2016 Severity: 3-Major Related Article:
K81239824
When using an iRule to output X509 Certificate's subject and issuer, the display is not OpenSSL compatible.
The BIG-IP system fails to produce properly-formatted certificate information. If logged, it may display incorrectly-parsed attributes similar to the following: -- In prior versions without the fix the format is: CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US -- In versions with the fix the format now requires spaces between these attributes: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME
Using iRule command 'X509::subject' and 'X509::issuer' to get the Cert's subject and issuer.
None.
In the iRule output of X509 Certificate's subject and issuer, the system now outputs the information in a format that is 'OpenSSL X509' compatible.
In this release the order of output is reversed for the X509::subject as compared to previous versions. This change was done to make the output of [X509::subject [SSL::cert 0]] OpenSSL-compatible. -- In prior versions without the fix the format is: CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US -- In versions with the fix the format now requires spaces between these attributes: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME IMPORTANT: Depending on iRules you have configured, this change might impact application functionality that depends on the old format. If your application expects the output X509::subject to be in the old format, make sure to modify the iRules after upgrading. To use the new format in any iRules that use the old structure, change the output format of the X.509 certificate subject to use this format: C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME Additional note: Comma (,) is a valid character in X509::subject. In this release, the escaping method has changed. -- In prior versions, the subject string returned by X509::subject escapes comma with backslash (\): Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: CN=user8,OU=DEPT,O=COMPANY\,,L=Tokyo,ST=Tokyo,C=JP When writing an iRule to validate the string, comma is already escaped by the backslash, but backslash should be escaped by another backslash as follows: set dn_validation "OU=DEPT,O=COMPANY\\,,L=Tokyo" -- In versions with the fix, the subject string returned by X509::subject wraps attributes with double quotation marks (""). Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: C=JP, ST=Tokyo, L=Tokyo, O="COMPANY,", OU=DEPT, CN=user8 When writing an iRule to validate the string, the whole attribute should be enclosed with double quotation marks, and each double quotation mark should be escaped by a backslash: set dn_validation "L=Tokyo, O=\"COMPANY,\", OU=DEPT"