Use ssl.match_hostname from urllib3 as it was removed from Python 3.12

Based on upstream freeipa rawhide patch by Miro Hrončok See python/cpython#94224 (comment) Fixes: https://pagure.io/freeipa/issue/9409 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten · Jul 6, 2023 · 49d863d · 49d863d
1 parent 4a3e3ef
commit 49d863d
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 7 deletions.
diff --git a/ipalib/x509.py b/ipalib/x509.py
@@ -36,7 +36,6 @@
 import datetime
 import enum
 import ipaddress
-import ssl
 import base64
 import re
 
@@ -53,6 +52,11 @@
 from pyasn1_modules import rfc2315, rfc2459
 import six
 
+try:
+ from urllib3.util import ssl_match_hostname
+except ImportError:
+ from urllib3.packages import ssl_match_hostname
+
 from ipalib import errors
 from ipapython.dnsutil import DNSName
 
@@ -385,6 +389,7 @@ def san_a_label_dns_names(self):
  return result
 
  def match_hostname(self, hostname):
+ # The caller is expected to catch any exceptions
  match_cert = {}
 
  match_cert['subject'] = match_subject = []
@@ -401,8 +406,7 @@ def match_hostname(self, hostname):
  for value in values:
  match_san.append(('DNS', value))
 
- # deprecated in Python3.7 without replacement
- ssl.match_hostname( # pylint: disable=deprecated-method
+ ssl_match_hostname.match_hostname(
  match_cert, DNSName(hostname).ToASCII()
  )
 

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
@@ -30,7 +30,6 @@
 import os
 import re
 import shutil
-import ssl
 import sys
 import syslog
 import time
@@ -2378,7 +2377,7 @@ def check_ipa_ca_san(cert):
 
  try:
  cert.match_hostname(expect)
- except ssl.CertificateError:
+ except x509.ssl_match_hostname.CertificateError:
  raise errors.ValidationError(
  name='certificate',
  error='Does not have a \'{}\' SAN'.format(expect)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
@@ -12,7 +12,6 @@
 import glob
 import shutil
 import fileinput
-import ssl
 import stat
 import sys
 import tempfile
@@ -717,7 +716,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
 
  try:
  cert.match_hostname(expect)
- except ssl.CertificateError:
+ except x509.ssl_match_hostname.CertificateError:
  if certs.is_ipa_issued_cert(api, cert):
  request_id = certmonger.get_request_id(
  {'cert-file': paths.HTTPD_CERT_FILE})