urllib3 1.18 was released today and contains new more correct hostname
matching that takes into account the ipAddress portion of a certificate
and disallows matching an IP Address against a DNS hostname.
Change-Id: I37d247b68911dc85f55adec6a7952ed321c1b1d8
... | ... |
@@ -2207,6 +2207,18 @@ function cidr2netmask { |
2207 | 2207 |
echo ${1-0}.${2-0}.${3-0}.${4-0} |
2208 | 2208 |
} |
2209 | 2209 |
|
2210 |
+# Check if this is a valid ipv4 address string |
|
2211 |
+function is_ipv4_address { |
|
2212 |
+ local address=$1 |
|
2213 |
+ local regex='([0-9]{1,3}.){3}[0-9]{1,3}' |
|
2214 |
+ # TODO(clarkb) make this more robust |
|
2215 |
+ if [[ "$address" =~ $regex ]] ; then |
|
2216 |
+ return 0 |
|
2217 |
+ else |
|
2218 |
+ return 1 |
|
2219 |
+ fi |
|
2220 |
+} |
|
2221 |
+ |
|
2210 | 2222 |
# Gracefully cp only if source file/dir exists |
2211 | 2223 |
# cp_it source destination |
2212 | 2224 |
function cp_it { |
... | ... |
@@ -226,7 +226,7 @@ function init_cert { |
226 | 226 |
if [[ ! -r $DEVSTACK_CERT ]]; then |
227 | 227 |
if [[ -n "$TLS_IP" ]]; then |
228 | 228 |
# Lie to let incomplete match routines work |
229 |
- TLS_IP="DNS:$TLS_IP" |
|
229 |
+ TLS_IP="DNS:$TLS_IP,IP:$TLS_IP" |
|
230 | 230 |
fi |
231 | 231 |
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP" |
232 | 232 |
|
... | ... |
@@ -249,6 +249,9 @@ function make_cert { |
249 | 249 |
else |
250 | 250 |
alt_names="$alt_names,DNS:$SERVICE_HOST" |
251 | 251 |
fi |
252 |
+ if is_ipv4_address "$SERVICE_HOST" ; then |
|
253 |
+ alt_names="$alt_names,IP:$SERVICE_HOST" |
|
254 |
+ fi |
|
252 | 255 |
fi |
253 | 256 |
|
254 | 257 |
# Only generate the certificate if it doesn't exist yet on the disk |