From a96dae1a9918cfc1413e199336eece447920ef8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Wed, 5 Jul 2023 08:52:59 +0200
Subject: [PATCH] Use ssl.match_hostname from urllib3 as it was removed from
 Python 3.12

See https://pagure.io/freeipa/issue/9409
and https://github.com/python/cpython/pull/94224#issuecomment-1621097418
---
 ipalib/x509.py                      | 5 +++--
 ipaserver/install/cainstance.py     | 4 +++-
 ipaserver/install/server/upgrade.py | 4 +++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 5adb511..faf62d4 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -385,6 +385,8 @@ class IPACertificate(crypto_x509.Certificate):
         return result
 
     def match_hostname(self, hostname):
+        from urllib3.util import ssl_match_hostname
+
         match_cert = {}
 
         match_cert['subject'] = match_subject = []
@@ -401,8 +403,7 @@ class IPACertificate(crypto_x509.Certificate):
             for value in values:
                 match_san.append(('DNS', value))
 
-        # deprecated in Python3.7 without replacement
-        ssl.match_hostname(  # pylint: disable=deprecated-method
+        ssl_match_hostname.match_hostname(
             match_cert, DNSName(hostname).ToASCII()
         )
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index fa8942d..e9f3ecb 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -2373,12 +2373,14 @@ def check_ipa_ca_san(cert):
 
     On success returns None, on failure raises ValidationError
     """
+    from urllib3.util import ssl_match_hostname
+
     expect = f'{ipalib.constants.IPA_CA_RECORD}.' \
              f'{ipautil.format_netloc(api.env.domain)}'
 
     try:
         cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except ssl_match_hostname.CertificateError:
         raise errors.ValidationError(
             name='certificate',
             error='Does not have a \'{}\' SAN'.format(expect)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f8701c8..9e5f5aa 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -710,6 +710,8 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
     steps.
 
     """
+    from urllib3.util import ssl_match_hostname
+
     logger.info('[Adding ipa-ca alias to HTTP certificate]')
 
     expect = f'{IPA_CA_RECORD}.{ipautil.format_netloc(api.env.domain)}'
@@ -717,7 +719,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
 
     try:
         cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except ssl_match_hostname.CertificateError:
         if certs.is_ipa_issued_cert(api, cert):
             request_id = certmonger.get_request_id(
                 {'cert-file': paths.HTTPD_CERT_FILE})
-- 
2.40.1