Use ssl.match_hostname from urllib3 as it was removed from Python 3.12
This commit is contained in:
Miro Hrončok
parent
bdbff27a6d
commit
4ca56b848a
@ -0,0 +1,82 @@
|
|||||||
|
From a96dae1a9918cfc1413e199336eece447920ef8e Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
|
||||||
|
Date: Wed, 5 Jul 2023 08:52:59 +0200
|
||||||
|
Subject: [PATCH] Use ssl.match_hostname from urllib3 as it was removed from
|
||||||
|
Python 3.12
|
||||||
|
|
||||||
|
See https://pagure.io/freeipa/issue/9409
|
||||||
|
and https://github.com/python/cpython/pull/94224#issuecomment-1621097418
|
||||||
|
---
|
||||||
|
ipalib/x509.py | 5 +++--
|
||||||
|
ipaserver/install/cainstance.py | 4 +++-
|
||||||
|
ipaserver/install/server/upgrade.py | 4 +++-
|
||||||
|
3 files changed, 9 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipalib/x509.py b/ipalib/x509.py
|
||||||
|
index 5adb511..faf62d4 100644
|
||||||
|
--- a/ipalib/x509.py
|
||||||
|
+++ b/ipalib/x509.py
|
||||||
|
@@ -385,6 +385,8 @@ class IPACertificate(crypto_x509.Certificate):
|
||||||
|
return result
|
||||||
|
|
||||||
|
def match_hostname(self, hostname):
|
||||||
|
+ from urllib3.util import ssl_match_hostname
|
||||||
|
+
|
||||||
|
match_cert = {}
|
||||||
|
|
||||||
|
match_cert['subject'] = match_subject = []
|
||||||
|
@@ -401,8 +403,7 @@ class IPACertificate(crypto_x509.Certificate):
|
||||||
|
for value in values:
|
||||||
|
match_san.append(('DNS', value))
|
||||||
|
|
||||||
|
- # deprecated in Python3.7 without replacement
|
||||||
|
- ssl.match_hostname( # pylint: disable=deprecated-method
|
||||||
|
+ ssl_match_hostname.match_hostname(
|
||||||
|
match_cert, DNSName(hostname).ToASCII()
|
||||||
|
)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||||||
|
index fa8942d..e9f3ecb 100644
|
||||||
|
--- a/ipaserver/install/cainstance.py
|
||||||
|
+++ b/ipaserver/install/cainstance.py
|
||||||
|
@@ -2373,12 +2373,14 @@ def check_ipa_ca_san(cert):
|
||||||
|
|
||||||
|
On success returns None, on failure raises ValidationError
|
||||||
|
"""
|
||||||
|
+ from urllib3.util import ssl_match_hostname
|
||||||
|
+
|
||||||
|
expect = f'{ipalib.constants.IPA_CA_RECORD}.' \
|
||||||
|
f'{ipautil.format_netloc(api.env.domain)}'
|
||||||
|
|
||||||
|
try:
|
||||||
|
cert.match_hostname(expect)
|
||||||
|
- except ssl.CertificateError:
|
||||||
|
+ except ssl_match_hostname.CertificateError:
|
||||||
|
raise errors.ValidationError(
|
||||||
|
name='certificate',
|
||||||
|
error='Does not have a \'{}\' SAN'.format(expect)
|
||||||
|
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||||||
|
index f8701c8..9e5f5aa 100644
|
||||||
|
--- a/ipaserver/install/server/upgrade.py
|
||||||
|
+++ b/ipaserver/install/server/upgrade.py
|
||||||
|
@@ -710,6 +710,8 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
|
||||||
|
steps.
|
||||||
|
|
||||||
|
"""
|
||||||
|
+ from urllib3.util import ssl_match_hostname
|
||||||
|
+
|
||||||
|
logger.info('[Adding ipa-ca alias to HTTP certificate]')
|
||||||
|
|
||||||
|
expect = f'{IPA_CA_RECORD}.{ipautil.format_netloc(api.env.domain)}'
|
||||||
|
@@ -717,7 +719,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
|
||||||
|
|
||||||
|
try:
|
||||||
|
cert.match_hostname(expect)
|
||||||
|
- except ssl.CertificateError:
|
||||||
|
+ except ssl_match_hostname.CertificateError:
|
||||||
|
if certs.is_ipa_issued_cert(api, cert):
|
||||||
|
request_id = certmonger.get_request_id(
|
||||||
|
{'cert-file': paths.HTTPD_CERT_FILE})
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
||||||
@ -213,7 +213,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 1%{?rc_version:.%rc_version}%{?dist}.1
|
Release: 1%{?rc_version:.%rc_version}%{?dist}.2
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPL-3.0-or-later
|
License: GPL-3.0-or-later
|
||||||
@ -226,6 +226,9 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
|||||||
|
|
||||||
Patch0: 0001-Revert-cert_find-fix-call-with-all.patch
|
Patch0: 0001-Revert-cert_find-fix-call-with-all.patch
|
||||||
|
|
||||||
|
# Downstream hotfix, reported in https://pagure.io/freeipa/issue/9409
|
||||||
|
Patch1: 0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch
|
||||||
|
|
||||||
# RHEL spec file only: START: Change branding to IPA and Identity Management
|
# RHEL spec file only: START: Change branding to IPA and Identity Management
|
||||||
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
||||||
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
|
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
|
||||||
@ -864,6 +867,7 @@ Requires: python3-qrcode-core >= 5.0.0
|
|||||||
Requires: python3-requests
|
Requires: python3-requests
|
||||||
Requires: python3-six
|
Requires: python3-six
|
||||||
Requires: python3-sss-murmur
|
Requires: python3-sss-murmur
|
||||||
|
Requires: python3-urllib3
|
||||||
Requires: python3-yubico >= 1.3.2-7
|
Requires: python3-yubico >= 1.3.2-7
|
||||||
%if 0%{?rhel} && 0%{?rhel} == 8
|
%if 0%{?rhel} && 0%{?rhel} == 8
|
||||||
Requires: platform-python-setuptools
|
Requires: platform-python-setuptools
|
||||||
@ -1742,6 +1746,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 05 2023 Miro Hrončok <mhroncok@redhat.com> - 4.10.2-1.2
|
||||||
|
- Use ssl.match_hostname from urllib3 as it was removed from Python 3.12
|
||||||
|
|
||||||
* Tue Jun 27 2023 Python Maint <python-maint@redhat.com> - 4.10.2-1.1
|
* Tue Jun 27 2023 Python Maint <python-maint@redhat.com> - 4.10.2-1.1
|
||||||
- Rebuilt for Python 3.12
|
- Rebuilt for Python 3.12
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user