83 lines
2.9 KiB
Diff
83 lines
2.9 KiB
Diff
From a96dae1a9918cfc1413e199336eece447920ef8e Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
|
|
Date: Wed, 5 Jul 2023 08:52:59 +0200
|
|
Subject: [PATCH] Use ssl.match_hostname from urllib3 as it was removed from
|
|
Python 3.12
|
|
|
|
See https://pagure.io/freeipa/issue/9409
|
|
and https://github.com/python/cpython/pull/94224#issuecomment-1621097418
|
|
---
|
|
ipalib/x509.py | 5 +++--
|
|
ipaserver/install/cainstance.py | 4 +++-
|
|
ipaserver/install/server/upgrade.py | 4 +++-
|
|
3 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ipalib/x509.py b/ipalib/x509.py
|
|
index 5adb511..faf62d4 100644
|
|
--- a/ipalib/x509.py
|
|
+++ b/ipalib/x509.py
|
|
@@ -385,6 +385,8 @@ class IPACertificate(crypto_x509.Certificate):
|
|
return result
|
|
|
|
def match_hostname(self, hostname):
|
|
+ from urllib3.util import ssl_match_hostname
|
|
+
|
|
match_cert = {}
|
|
|
|
match_cert['subject'] = match_subject = []
|
|
@@ -401,8 +403,7 @@ class IPACertificate(crypto_x509.Certificate):
|
|
for value in values:
|
|
match_san.append(('DNS', value))
|
|
|
|
- # deprecated in Python3.7 without replacement
|
|
- ssl.match_hostname( # pylint: disable=deprecated-method
|
|
+ ssl_match_hostname.match_hostname(
|
|
match_cert, DNSName(hostname).ToASCII()
|
|
)
|
|
|
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
index fa8942d..e9f3ecb 100644
|
|
--- a/ipaserver/install/cainstance.py
|
|
+++ b/ipaserver/install/cainstance.py
|
|
@@ -2373,12 +2373,14 @@ def check_ipa_ca_san(cert):
|
|
|
|
On success returns None, on failure raises ValidationError
|
|
"""
|
|
+ from urllib3.util import ssl_match_hostname
|
|
+
|
|
expect = f'{ipalib.constants.IPA_CA_RECORD}.' \
|
|
f'{ipautil.format_netloc(api.env.domain)}'
|
|
|
|
try:
|
|
cert.match_hostname(expect)
|
|
- except ssl.CertificateError:
|
|
+ except ssl_match_hostname.CertificateError:
|
|
raise errors.ValidationError(
|
|
name='certificate',
|
|
error='Does not have a \'{}\' SAN'.format(expect)
|
|
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
index f8701c8..9e5f5aa 100644
|
|
--- a/ipaserver/install/server/upgrade.py
|
|
+++ b/ipaserver/install/server/upgrade.py
|
|
@@ -710,6 +710,8 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
|
|
steps.
|
|
|
|
"""
|
|
+ from urllib3.util import ssl_match_hostname
|
|
+
|
|
logger.info('[Adding ipa-ca alias to HTTP certificate]')
|
|
|
|
expect = f'{IPA_CA_RECORD}.{ipautil.format_netloc(api.env.domain)}'
|
|
@@ -717,7 +719,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
|
|
|
|
try:
|
|
cert.match_hostname(expect)
|
|
- except ssl.CertificateError:
|
|
+ except ssl_match_hostname.CertificateError:
|
|
if certs.is_ipa_issued_cert(api, cert):
|
|
request_id = certmonger.get_request_id(
|
|
{'cert-file': paths.HTTPD_CERT_FILE})
|
|
--
|
|
2.40.1
|
|
|