Don't use ipv6 for DNS SAN fields with python3

aojeagarcia · Antonio Ojea · commit 9a543a81acb8 · 2018-10-07T21:21:12.000Z
Python2 match routines for x509 fields are broken and have to use the DNS field for ip addresses. The problem is that if you use ipv6 addresses in the DNS field, urllib3 fails when trying to encode it. Since python3 match routines for x509 fields are correct, this patch disables the hack for python3, encoding the ip address in the corresponding field only of the certificate. Partial-Bug: #1794929 Depends-On: https://review.openstack.org/#/c/608468 Change-Id: I7b9cb15ccfa181648afb12be51ee48bed14f9156 Signed-off-by: aojeagarcia <aojeagarcia@suse.com>
diff --git a/lib/tls b/lib/tls
@@ -227,9 +227,13 @@ function init_CA {
 function init_cert {
     if [[ ! -r $DEVSTACK_CERT ]]; then
         if [[ -n "$TLS_IP" ]]; then
-            # Lie to let incomplete match routines work
-            # see https://bugs.python.org/issue23239
-            TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            if python3_enabled; then
+                TLS_IP="IP:$TLS_IP"
+            else
+                # Lie to let incomplete match routines work with python2
+                # see https://bugs.python.org/issue23239
+                TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            fi
         fi
         make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
 
