Use ssl.match_hostname from urllib3 as it was removed from Python 3.12

Based on upstream freeipa rawhide patch by Miro Hrončok See https://github.com/python/cpython/pull/94224#issuecomment-1621097418 Fixes: https://pagure.io/freeipa/issue/9409 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Miro Hroncok <miro@hroncok.cz> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-07-05 08:52:59 +02:00
parent 00c0a62a6a
commit d2ed490ff4
5 changed files with 18 additions and 9 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -565,11 +565,11 @@ Requires: python3-pyasn1 >= 0.3.2-2
 Requires: python3-sssdconfig >= %{sssd_version}
 Requires: python3-psutil
 Requires: rpm-libs
-# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
 %if 0%{?rhel}
 Requires: python3-urllib3 >= 1.24.2-3
 %else
-Requires: python3-urllib3 >= 1.25.7
+# For urllib3.util.ssl_match_hostname
+Requires: python3-urllib3 >= 1.25.8
 %endif

 %description -n python3-ipaserver
@@ -896,6 +896,12 @@ Requires: platform-python-setuptools
 %else
 Requires: python3-setuptools
 %endif
+%if 0%{?rhel}
+Requires: python3-urllib3 >= 1.24.2-3
+%else
+# For urllib3.util.ssl_match_hostname
+Requires: python3-urllib3 >= 1.25.8
+%endif

 %description -n python3-ipalib
 IPA is an integrated solution to provide centrally managed Identity (users,
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -42,6 +42,7 @@ if __name__ == '__main__':
            "pyasn1",
            "pyasn1-modules",
            "six",
+            "urllib3",
        ],
        extras_require={
            "install": ["dbus-python"],  # for certmonger and resolve1
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -36,7 +36,6 @@ import binascii
 import datetime
 import enum
 import ipaddress
-import ssl
 import base64
 import re

@@ -53,6 +52,11 @@ from pyasn1.codec.der import decoder, encoder
 from pyasn1_modules import rfc2315, rfc2459
 import six

+try:
+    from urllib3.util import ssl_match_hostname
+except ImportError:
+    from urllib3.packages import ssl_match_hostname
+
 from ipalib import errors
 from ipapython.dnsutil import DNSName

@@ -385,6 +389,7 @@ class IPACertificate(crypto_x509.Certificate):
        return result

    def match_hostname(self, hostname):
+        # The caller is expected to catch any exceptions
        match_cert = {}

        match_cert['subject'] = match_subject = []
@@ -401,8 +406,7 @@ class IPACertificate(crypto_x509.Certificate):
            for value in values:
                match_san.append(('DNS', value))

-        # deprecated in Python3.7 without replacement
-        ssl.match_hostname(  # pylint: disable=deprecated-method
+        ssl_match_hostname.match_hostname(
            match_cert, DNSName(hostname).ToASCII()
        )

--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -30,7 +30,6 @@ import dbus
 import os
 import re
 import shutil
-import ssl
 import sys
 import syslog
 import time
@@ -2378,7 +2377,7 @@ def check_ipa_ca_san(cert):

    try:
        cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except x509.ssl_match_hostname.CertificateError:
        raise errors.ValidationError(
            name='certificate',
            error='Does not have a \'{}\' SAN'.format(expect)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -12,7 +12,6 @@ import os
 import glob
 import shutil
 import fileinput
-import ssl
 import stat
 import sys
 import tempfile
@@ -717,7 +716,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):

    try:
        cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except x509.ssl_match_hostname.CertificateError:
        if certs.is_ipa_issued_cert(api, cert):
            request_id = certmonger.get_request_id(
                {'cert-file': paths.HTTPD_CERT_FILE})