Created attachment 6453 [details]
The PAC needs to be extracted using different functions, which will verify the signature to prevent spoofing attacks.
Simo and I still need to confirm this port of the patch from master to 3.6 works, but this is the blocking bug to ensure it's not lost.
I already pushed this one by mistake while I was meaning to push only another patch.
So fixed in: ad8415cb8a7bbd1f653eecce1aa2b88242bcc9e5
To be totally clear (to avoid a mistake in 3.6.0): I've not tested this yet. Did you test it?