Bug 1379594
| Summary: | python-docker-py 1.9.0 can't match hostnames based on ip address in subjectAlthostname | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Tomecek <ttomecek> |
| Component: | python-docker-py | Assignee: | Tomas Tomecek <ttomecek> |
| Status: | CLOSED WONTFIX | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | atomic-bugs, carl, python-maint, torsava, ttomecek |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-01-29 12:35:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
python-backports-ssl_match_hostname is obsolete now anyways. The code from that module was backported into Python 2.7.9 upstream, and subsequently backported into RHEL7's 2.7.5-34.el7 (see https://github.com/centos-rpms/python/commit/f63228654ecef84a78c552dac832f4cd939cf584). Very interesting info! Thanks Carl. Unfortunately it doesn't help, because setuptools is pulling 'python-backports-ssl_match_hostname-3.4.0.2-4.el7', even though I have 'python-2.7.5-48.el7.x86_64': $ py.test -v ./tests/unit/ssladapter_test.py ... tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_success FAILED ... E CertificateError: hostname '127.0.0.1' doesn't match either of u'localhost', u'*.gensokyo.jp' Let's ask python-maint team. It seems this issue has been fix in upstream. [root@dell-per630-02 docker-py]# rpm -q python-backports-ssl_match_hostname python python-backports-ssl_match_hostname-3.4.0.2-4.el7.noarch python-2.7.5-48.el7.x86_64 [root@dell-per630-02 docker-py]# git rev-parse HEAD 239673a51c16715e401f02c9912b6a1a8619188b [root@dell-per630-02 docker-py]# py.test -v ./tests/unit/ssladapter_test.py =============================================================================================== test session starts =============================================================================================== platform linux2 -- Python 2.7.5, pytest-3.0.4, py-1.4.31, pluggy-0.4.0 -- /usr/bin/python cachedir: .cache rootdir: /home/ajia/Projects/docker-py, inifile: pytest.ini plugins: cov-2.4.0 collected 6 items tests/unit/ssladapter_test.py::SSLAdapterTest::test_only_uses_tls PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_failure PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_success PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_failure PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_success PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_localhost_success PASSED ============================================================================================ 6 passed in 0.09 seconds ============================================================================================= It was not backported in RHEL7's python 2.7.5-34, and I can't find that it was backported at all. It looks like my last comment was a bit short sighted. The match_hostname function from Python 3.4's ssl module absolutely was backported, but that didn't yet contain the ability to accept IP addresses as hostnames. That is why the test works with backports.ssl_match_hostname 3.5.0.1. https://bitbucket.org/brandon/backports.ssl_match_hostname/commits/a8ef5d6 Since the solution to this bug lies outside of python-docker-py, I am going to close. Please reopen anybody if you run into this. |
This is due to outdated dependency python-backports-ssl_match_hostname. Failing test: ``` _________ MatchHostnameTest.test_match_ip_address_success _________ tests/unit/ssladapter_test.py:63: in test_match_ip_address_success assert match_hostname(self.cert, '127.0.0.1') is None /usr/lib/python2.7/site-packages/backports/ssl_match_hostname/__init__.py:95: in match_hostname % (hostname, ', '.join(map(repr, dnsnames)))) E CertificateError: hostname '127.0.0.1' doesn't match either of u'localhost', u'*.gensokyo.jp' =============== 1 failed, 5 passed in 0.08 seconds ================ ``` Works with latest python-backports-ssl_match_hostname: ``` [root@1c75cca9df70 docker-py-dc164c71be59e9d905a79db33aa77ba45e2ece2b]# pip install --user -U backports.ssl_match_hostname You are using pip version 7.1.0, however version 8.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. Collecting backports.ssl-match-hostname Downloading backports.ssl_match_hostname-3.5.0.1.tar.gz Installing collected packages: backports.ssl-match-hostname Running setup.py install for backports.ssl-match-hostname Successfully installed backports.ssl-match-hostname-3.5.0.1 [root@1c75cca9df70 docker-py-dc164c71be59e9d905a79db33aa77ba45e2ece2b]# py.test -v ./tests/unit/ssladapter_test.py ======================= test session starts ======================= platform linux2 -- Python 2.7.5, pytest-2.9.1, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python cachedir: .cache rootdir: /asd/docker-py-dc164c71be59e9d905a79db33aa77ba45e2ece2b, inifile: pytest.ini plugins: cov-2.1.0 collected 6 items tests/unit/ssladapter_test.py::SSLAdapterTest::test_only_uses_tls PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_failure PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_success PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_failure PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_success PASSED tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_localhost_success PASSED ==================== 6 passed in 0.07 seconds ===================== ```