Created attachment 1445767 [details] build.log from copr A testfull rebuild of python-urllib3 fails with Python 3.7. TestConnection.test_match_hostname_mismatch fails. _________________ TestConnection.test_match_hostname_mismatch __________________ self = <test.test_connection.TestConnection object at 0x7f27e24ea588> def test_match_hostname_mismatch(self): cert = {'subjectAltName': [('DNS', 'foo')]} asserted_hostname = 'bar' try: with mock.patch('urllib3.connection.log.error') as mock_log: > _match_hostname(cert, asserted_hostname) test/test_connection.py:39: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ cert = {'subjectAltName': [('DNS', 'foo')]}, asserted_hostname = 'bar' def _match_hostname(cert, asserted_hostname): try: > match_hostname(cert, asserted_hostname) urllib3/connection.py:357: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ cert = {'subjectAltName': [('DNS', 'foo')]}, hostname = 'bar' def match_hostname(cert, hostname): """Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed. The function matches IP addresses rather than dNSNames if hostname is a valid ipaddress string. IPv4 addresses are supported on all platforms. IPv6 addresses are supported on platforms with IPv6 support (AF_INET6 and inet_pton). CertificateError is raised on failure. On success, the function returns nothing. """ if not cert: raise ValueError("empty or no certificate, match_hostname needs a " "SSL socket or SSL context with either " "CERT_OPTIONAL or CERT_REQUIRED") try: host_ip = _inet_paton(hostname) except ValueError: # Not an IP address (common case) host_ip = None dnsnames = [] san = cert.get('subjectAltName', ()) for key, value in san: if key == 'DNS': if host_ip is None and _dnsname_match(value, hostname): return dnsnames.append(value) elif key == 'IP Address': if host_ip is not None and _ipaddress_match(value, host_ip): return dnsnames.append(value) if not dnsnames: # The subject is only checked when there is no dNSName entry # in subjectAltName for sub in cert.get('subject', ()): for key, value in sub: # XXX according to RFC 2818, the most specific Common Name # must be used. if key == 'commonName': if _dnsname_match(value, hostname): return dnsnames.append(value) if len(dnsnames) > 1: raise CertificateError("hostname %r " "doesn't match either of %s" % (hostname, ', '.join(map(repr, dnsnames)))) elif len(dnsnames) == 1: raise CertificateError("hostname %r " "doesn't match %r" > % (hostname, dnsnames[0])) E ssl.SSLCertVerificationError: ("hostname 'bar' doesn't match 'foo'",) /usr/lib64/python3.7/ssl.py:327: SSLCertVerificationError During handling of the above exception, another exception occurred: self = <test.test_connection.TestConnection object at 0x7f27e24ea588> def test_match_hostname_mismatch(self): cert = {'subjectAltName': [('DNS', 'foo')]} asserted_hostname = 'bar' try: with mock.patch('urllib3.connection.log.error') as mock_log: _match_hostname(cert, asserted_hostname) except CertificateError as e: > assert str(e) == "hostname 'bar' doesn't match 'foo'" E assert '("hostname \...ch \'foo\'",)' == "hostname 'bar...t match 'foo'" E - ("hostname 'bar' doesn't match 'foo'",) E ? -- --- E + hostname 'bar' doesn't match 'foo' test/test_connection.py:41: AssertionError Version-Release number of selected component (if applicable): 1.22-9.fc29 logs attached.
Created attachment 1445768 [details] root.log from copr
Fixed upstream in https://github.com/urllib3/urllib3/commit/edd7a0063d25f1a7f34306f9a9488247593888a9 https://github.com/urllib3/urllib3/issues/1365
Hey, thanks for the report. I've backported that patch for Rawhide.
Build on 3.7 succeeded.