From 69e3c0aac99981f17c76c22111e5c397824b8428 Mon Sep 17 00:00:00 2001
From: Ian Cordasco <graffatcolmingov@gmail.com>
Date: Mon, 26 Sep 2016 12:53:14 -0500
Subject: [PATCH] Update certificate creation for urllib3

urllib3 1.18 was released today and contains new more correct hostname
matching that takes into account the ipAddress portion of a certificate
and disallows matching an IP Address against a DNS hostname.

Change-Id: I37d247b68911dc85f55adec6a7952ed321c1b1d8
---
 functions-common | 12 ++++++++++++
 lib/tls          |  5 ++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/functions-common b/functions-common
index 4716567be3..9544c8102f 100644
--- a/functions-common
+++ b/functions-common
@@ -2207,6 +2207,18 @@ function cidr2netmask {
     echo ${1-0}.${2-0}.${3-0}.${4-0}
 }
 
+# Check if this is a valid ipv4 address string
+function is_ipv4_address {
+    local address=$1
+    local regex='([0-9]{1,3}.){3}[0-9]{1,3}'
+    # TODO(clarkb) make this more robust
+    if [[ "$address" =~ $regex ]] ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
 # Gracefully cp only if source file/dir exists
 # cp_it source destination
 function cp_it {
diff --git a/lib/tls b/lib/tls
index 2c4e18d388..78d476fbf2 100644
--- a/lib/tls
+++ b/lib/tls
@@ -226,7 +226,7 @@ function init_cert {
     if [[ ! -r $DEVSTACK_CERT ]]; then
         if [[ -n "$TLS_IP" ]]; then
             # Lie to let incomplete match routines work
-            TLS_IP="DNS:$TLS_IP"
+            TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
         fi
         make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
 
@@ -249,6 +249,9 @@ function make_cert {
         else
             alt_names="$alt_names,DNS:$SERVICE_HOST"
         fi
+        if is_ipv4_address "$SERVICE_HOST" ; then
+            alt_names="$alt_names,IP:$SERVICE_HOST"
+        fi
     fi
 
     # Only generate the certificate if it doesn't exist yet on the disk