Browse code
Update certificate creation for urllib3
urllib3 1.18 was released today and contains new more correct hostname
matching that takes into account the ipAddress portion of a certificate
and disallows matching an IP Address against a DNS hostname.
Change-Id: I37d247b68911dc85f55adec6a7952ed321c1b1d8
Ian Cordasco authored on 2016/09/27 02:53:14Showing 2 changed files
| ... | ... |
@@ -2207,6 +2207,18 @@ function cidr2netmask {
|
| 2207 | 2207 |
echo ${1-0}.${2-0}.${3-0}.${4-0}
|
| 2208 | 2208 |
} |
| 2209 | 2209 |
|
| 2210 |
+# Check if this is a valid ipv4 address string |
|
| 2211 |
+function is_ipv4_address {
|
|
| 2212 |
+ local address=$1 |
|
| 2213 |
+ local regex='([0-9]{1,3}.){3}[0-9]{1,3}'
|
|
| 2214 |
+ # TODO(clarkb) make this more robust |
|
| 2215 |
+ if [[ "$address" =~ $regex ]] ; then |
|
| 2216 |
+ return 0 |
|
| 2217 |
+ else |
|
| 2218 |
+ return 1 |
|
| 2219 |
+ fi |
|
| 2220 |
+} |
|
| 2221 |
+ |
|
| 2210 | 2222 |
# Gracefully cp only if source file/dir exists |
| 2211 | 2223 |
# cp_it source destination |
| 2212 | 2224 |
function cp_it {
|
| ... | ... |
@@ -226,7 +226,7 @@ function init_cert {
|
| 226 | 226 |
if [[ ! -r $DEVSTACK_CERT ]]; then |
| 227 | 227 |
if [[ -n "$TLS_IP" ]]; then |
| 228 | 228 |
# Lie to let incomplete match routines work |
| 229 |
- TLS_IP="DNS:$TLS_IP" |
|
| 229 |
+ TLS_IP="DNS:$TLS_IP,IP:$TLS_IP" |
|
| 230 | 230 |
fi |
| 231 | 231 |
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP" |
| 232 | 232 |
|
| ... | ... |
@@ -249,6 +249,9 @@ function make_cert {
|
| 249 | 249 |
else |
| 250 | 250 |
alt_names="$alt_names,DNS:$SERVICE_HOST" |
| 251 | 251 |
fi |
| 252 |
+ if is_ipv4_address "$SERVICE_HOST" ; then |
|
| 253 |
+ alt_names="$alt_names,IP:$SERVICE_HOST" |
|
| 254 |
+ fi |
|
| 252 | 255 |
fi |
| 253 | 256 |
|
| 254 | 257 |
# Only generate the certificate if it doesn't exist yet on the disk |