RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1379594 - python-docker-py 1.9.0 can't match hostnames based on ip address in subjectAlthostname
Summary: python-docker-py 1.9.0 can't match hostnames based on ip address in subjectAl...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-docker-py
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Tomecek
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-27 08:01 UTC by Tomas Tomecek
Modified: 2020-01-29 12:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-29 12:35:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Tomas Tomecek 2016-09-27 08:01:37 UTC 
This is due to outdated dependency python-backports-ssl_match_hostname.

Failing test:

```
_________ MatchHostnameTest.test_match_ip_address_success _________
tests/unit/ssladapter_test.py:63: in test_match_ip_address_success
    assert match_hostname(self.cert, '127.0.0.1') is None
/usr/lib/python2.7/site-packages/backports/ssl_match_hostname/__init__.py:95: in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
E   CertificateError: hostname '127.0.0.1' doesn't match either of u'localhost', u'*.gensokyo.jp'
=============== 1 failed, 5 passed in 0.08 seconds ================
```

Works with latest python-backports-ssl_match_hostname:

```
[root@1c75cca9df70 docker-py-dc164c71be59e9d905a79db33aa77ba45e2ece2b]# pip install --user -U backports.ssl_match_hostname
You are using pip version 7.1.0, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Collecting backports.ssl-match-hostname
  Downloading backports.ssl_match_hostname-3.5.0.1.tar.gz
Installing collected packages: backports.ssl-match-hostname
  Running setup.py install for backports.ssl-match-hostname
Successfully installed backports.ssl-match-hostname-3.5.0.1
[root@1c75cca9df70 docker-py-dc164c71be59e9d905a79db33aa77ba45e2ece2b]# py.test -v ./tests/unit/ssladapter_test.py
======================= test session starts =======================
platform linux2 -- Python 2.7.5, pytest-2.9.1, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python
cachedir: .cache
rootdir: /asd/docker-py-dc164c71be59e9d905a79db33aa77ba45e2ece2b, inifile: pytest.ini
plugins: cov-2.1.0
collected 6 items

tests/unit/ssladapter_test.py::SSLAdapterTest::test_only_uses_tls PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_failure PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_success PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_failure PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_success PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_localhost_success PASSED

==================== 6 passed in 0.07 seconds =====================
```
Comment 2 Carl George 2016-11-29 15:09:30 UTC 
python-backports-ssl_match_hostname is obsolete now anyways.  The code from that module was backported into Python 2.7.9 upstream, and subsequently backported into RHEL7's 2.7.5-34.el7 (see https://github.com/centos-rpms/python/commit/f63228654ecef84a78c552dac832f4cd939cf584).
Comment 3 Tomas Tomecek 2016-11-30 09:55:55 UTC 
Very interesting info! Thanks Carl.

Unfortunately it doesn't help, because setuptools is pulling 'python-backports-ssl_match_hostname-3.4.0.2-4.el7', even though I have 'python-2.7.5-48.el7.x86_64':

$ py.test -v ./tests/unit/ssladapter_test.py
...
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_success FAILED
...
E   CertificateError: hostname '127.0.0.1' doesn't match either of u'localhost', u'*.gensokyo.jp'


Let's ask python-maint team.
Comment 4 Alex Jia 2016-12-01 10:01:37 UTC 
It seems this issue has been fix in upstream.

[root@dell-per630-02 docker-py]# rpm -q python-backports-ssl_match_hostname python
python-backports-ssl_match_hostname-3.4.0.2-4.el7.noarch
python-2.7.5-48.el7.x86_64

[root@dell-per630-02 docker-py]# git rev-parse HEAD
239673a51c16715e401f02c9912b6a1a8619188b

[root@dell-per630-02 docker-py]# py.test -v ./tests/unit/ssladapter_test.py
=============================================================================================== test session starts ===============================================================================================
platform linux2 -- Python 2.7.5, pytest-3.0.4, py-1.4.31, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
rootdir: /home/ajia/Projects/docker-py, inifile: pytest.ini
plugins: cov-2.4.0
collected 6 items 

tests/unit/ssladapter_test.py::SSLAdapterTest::test_only_uses_tls PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_failure PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_dns_success PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_failure PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_ip_address_success PASSED
tests/unit/ssladapter_test.py::MatchHostnameTest::test_match_localhost_success PASSED

============================================================================================ 6 passed in 0.09 seconds =============================================================================================
Comment 5 Tomas Orsava 2017-01-02 12:53:53 UTC 
It was not backported in RHEL7's python 2.7.5-34, and I can't find that it was backported at all.
Comment 6 Carl George 2017-01-02 14:43:07 UTC 
It looks like my last comment was a bit short sighted.  The match_hostname function from Python 3.4's ssl module absolutely was backported, but that didn't yet contain the ability to accept IP addresses as hostnames.  That is why the test works with backports.ssl_match_hostname 3.5.0.1.

https://bitbucket.org/brandon/backports.ssl_match_hostname/commits/a8ef5d6
Comment 7 Tomas Tomecek 2020-01-29 12:35:41 UTC 
Since the solution to this bug lies outside of python-docker-py, I am going to close.

Please reopen anybody if you run into this.
Note You need to log in before you can comment on or make changes to this bug.