Skip to content

Commit 1e14d78

Browse files
hroncokrcritten
hroncok
authored and
rcritten
committed
Use ssl.match_hostname from urllib3 as it was removed from Python 3.12
See https://pagure.io/freeipa/issue/9409 and python/cpython#94224 (comment)
1 parent 4a3e3ef commit 1e14d78

3 files changed

Lines changed: 9 additions & 4 deletions

File tree

ipalib/x509.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -385,6 +385,8 @@ def san_a_label_dns_names(self):
385385
return result
386386

387387
def match_hostname(self, hostname):
388+
from urllib3.util import ssl_match_hostname
389+
388390
match_cert = {}
389391

390392
match_cert['subject'] = match_subject = []
@@ -401,8 +403,7 @@ def match_hostname(self, hostname):
401403
for value in values:
402404
match_san.append(('DNS', value))
403405

404-
# deprecated in Python3.7 without replacement
405-
ssl.match_hostname( # pylint: disable=deprecated-method
406+
ssl_match_hostname.match_hostname(
406407
match_cert, DNSName(hostname).ToASCII()
407408
)
408409

ipaserver/install/cainstance.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2373,12 +2373,14 @@ def check_ipa_ca_san(cert):
23732373
23742374
On success returns None, on failure raises ValidationError
23752375
"""
2376+
from urllib3.util import ssl_match_hostname
2377+
23762378
expect = f'{ipalib.constants.IPA_CA_RECORD}.' \
23772379
f'{ipautil.format_netloc(api.env.domain)}'
23782380

23792381
try:
23802382
cert.match_hostname(expect)
2381-
except ssl.CertificateError:
2383+
except ssl_match_hostname.CertificateError:
23822384
raise errors.ValidationError(
23832385
name='certificate',
23842386
error='Does not have a \'{}\' SAN'.format(expect)

ipaserver/install/server/upgrade.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -710,14 +710,16 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
710710
steps.
711711
712712
"""
713+
from urllib3.util import ssl_match_hostname
714+
713715
logger.info('[Adding ipa-ca alias to HTTP certificate]')
714716

715717
expect = f'{IPA_CA_RECORD}.{ipautil.format_netloc(api.env.domain)}'
716718
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
717719

718720
try:
719721
cert.match_hostname(expect)
720-
except ssl.CertificateError:
722+
except ssl_match_hostname.CertificateError:
721723
if certs.is_ipa_issued_cert(api, cert):
722724
request_id = certmonger.get_request_id(
723725
{'cert-file': paths.HTTPD_CERT_FILE})

0 commit comments

Comments
 (0)