diff --git a/0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch b/0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch new file mode 100644 index 0000000..4a65e09 --- /dev/null +++ b/0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch @@ -0,0 +1,82 @@ +From a96dae1a9918cfc1413e199336eece447920ef8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= +Date: Wed, 5 Jul 2023 08:52:59 +0200 +Subject: [PATCH] Use ssl.match_hostname from urllib3 as it was removed from + Python 3.12 + +See https://pagure.io/freeipa/issue/9409 +and https://github.com/python/cpython/pull/94224#issuecomment-1621097418 +--- + ipalib/x509.py | 5 +++-- + ipaserver/install/cainstance.py | 4 +++- + ipaserver/install/server/upgrade.py | 4 +++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/ipalib/x509.py b/ipalib/x509.py +index 5adb511..faf62d4 100644 +--- a/ipalib/x509.py ++++ b/ipalib/x509.py +@@ -385,6 +385,8 @@ class IPACertificate(crypto_x509.Certificate): + return result + + def match_hostname(self, hostname): ++ from urllib3.util import ssl_match_hostname ++ + match_cert = {} + + match_cert['subject'] = match_subject = [] +@@ -401,8 +403,7 @@ class IPACertificate(crypto_x509.Certificate): + for value in values: + match_san.append(('DNS', value)) + +- # deprecated in Python3.7 without replacement +- ssl.match_hostname( # pylint: disable=deprecated-method ++ ssl_match_hostname.match_hostname( + match_cert, DNSName(hostname).ToASCII() + ) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index fa8942d..e9f3ecb 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -2373,12 +2373,14 @@ def check_ipa_ca_san(cert): + + On success returns None, on failure raises ValidationError + """ ++ from urllib3.util import ssl_match_hostname ++ + expect = f'{ipalib.constants.IPA_CA_RECORD}.' \ + f'{ipautil.format_netloc(api.env.domain)}' + + try: + cert.match_hostname(expect) +- except ssl.CertificateError: ++ except ssl_match_hostname.CertificateError: + raise errors.ValidationError( + name='certificate', + error='Does not have a \'{}\' SAN'.format(expect) +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index f8701c8..9e5f5aa 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -710,6 +710,8 @@ def http_certificate_ensure_ipa_ca_dnsname(http): + steps. + + """ ++ from urllib3.util import ssl_match_hostname ++ + logger.info('[Adding ipa-ca alias to HTTP certificate]') + + expect = f'{IPA_CA_RECORD}.{ipautil.format_netloc(api.env.domain)}' +@@ -717,7 +719,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http): + + try: + cert.match_hostname(expect) +- except ssl.CertificateError: ++ except ssl_match_hostname.CertificateError: + if certs.is_ipa_issued_cert(api, cert): + request_id = certmonger.get_request_id( + {'cert-file': paths.HTTPD_CERT_FILE}) +-- +2.40.1 + diff --git a/freeipa.spec b/freeipa.spec index d334e7b..0ac5260 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -213,7 +213,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist}.1 +Release: 1%{?rc_version:.%rc_version}%{?dist}.2 Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -226,6 +226,9 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers Patch0: 0001-Revert-cert_find-fix-call-with-all.patch +# Downstream hotfix, reported in https://pagure.io/freeipa/issue/9409 +Patch1: 0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch + # RHEL spec file only: START: Change branding to IPA and Identity Management # Moved branding logos and background to redhat-logos-ipa-80.4: # header-logo.png, login-screen-background.jpg, login-screen-logo.png, @@ -864,6 +867,7 @@ Requires: python3-qrcode-core >= 5.0.0 Requires: python3-requests Requires: python3-six Requires: python3-sss-murmur +Requires: python3-urllib3 Requires: python3-yubico >= 1.3.2-7 %if 0%{?rhel} && 0%{?rhel} == 8 Requires: platform-python-setuptools @@ -1742,6 +1746,9 @@ fi %endif %changelog +* Wed Jul 05 2023 Miro HronĨok - 4.10.2-1.2 +- Use ssl.match_hostname from urllib3 as it was removed from Python 3.12 + * Tue Jun 27 2023 Python Maint - 4.10.2-1.1 - Rebuilt for Python 3.12