Don't use ipv6 for DNS SAN fields with python3

Python2 match routines for x509 fields are broken and have to use the DNS field for ip addresses. The problem is that if you use ipv6 addresses in the DNS field, urllib3 fails when trying to encode it. Since python3 match routines for x509 fields are correct, this patch disables the hack for python3, encoding the ip address in the corresponding field only of the certificate. Partial-Bug: #1794929 Depends-On: https://review.openstack.org/#/c/608468 Change-Id: I7b9cb15ccfa181648afb12be51ee48bed14f9156 Signed-off-by: aojeagarcia <aojeagarcia@suse.com>
2018-09-28 08:55:49 +02:00 · 2018-09-28 08:55:49 +02:00 · 9a543a81ac
parent 02ca8da102
commit 9a543a81ac
1 changed files with 7 additions and 3 deletions
--- a/lib/tls
+++ b/lib/tls
@ -227,9 +227,13 @@ function init_CA {
 function init_cert {
    if [[ ! -r $DEVSTACK_CERT ]]; then
        if [[ -n "$TLS_IP" ]]; then
-            # Lie to let incomplete match routines work
-            # see https://bugs.python.org/issue23239
-            TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            if python3_enabled; then
+                TLS_IP="IP:$TLS_IP"
+            else
+                # Lie to let incomplete match routines work with python2
+                # see https://bugs.python.org/issue23239
+                TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            fi
        fi
        make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"