openstack/devstack
Code Issues Proposed changes

Update certificate creation for urllib3

Browse Source 
urllib3 1.18 was released today and contains new more correct hostname
matching that takes into account the ipAddress portion of a certificate
and disallows matching an IP Address against a DNS hostname.

Change-Id: I37d247b68911dc85f55adec6a7952ed321c1b1d8
This commit is contained in:
Ian Cordasco 2016-09-26 12:53:14 -05:00 committed by Clark Boylan
parent 9cea4e8570
commit 69e3c0aac9
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
functions-common
View File

@ -2207,6 +2207,18 @@ function cidr2netmask {
echo ${1-0}.${2-0}.${3-0}.${4-0} echo ${1-0}.${2-0}.${3-0}.${4-0}
} }
# Check if this is a valid ipv4 address string
function is_ipv4_address {
local address=$1
local regex='([0-9]{1,3}.){3}[0-9]{1,3}'
# TODO(clarkb) make this more robust
if [[ "$address" =~ $regex ]] ; then
return 0
else
return 1
fi
}
# Gracefully cp only if source file/dir exists # Gracefully cp only if source file/dir exists
# cp_it source destination # cp_it source destination
function cp_it { function cp_it {

5
lib/tls
View File

@ -226,7 +226,7 @@ function init_cert {
if [[ ! -r $DEVSTACK_CERT ]]; then if [[ ! -r $DEVSTACK_CERT ]]; then
if [[ -n "$TLS_IP" ]]; then if [[ -n "$TLS_IP" ]]; then
# Lie to let incomplete match routines work # Lie to let incomplete match routines work
TLS_IP="DNS:$TLS_IP" TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
fi fi
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP" make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
@ -249,6 +249,9 @@ function make_cert {
else else
alt_names="$alt_names,DNS:$SERVICE_HOST" alt_names="$alt_names,DNS:$SERVICE_HOST"
fi fi
if is_ipv4_address "$SERVICE_HOST" ; then
alt_names="$alt_names,IP:$SERVICE_HOST"
fi
fi fi
# Only generate the certificate if it doesn't exist yet on the disk # Only generate the certificate if it doesn't exist yet on the disk