new file mode 100644

@@ -0,0 +1,56 @@

+--- a/Lib/ssl.py

+@@ -137,6 +137,11 @@ from socket import socket, AF_INET, SOCK_STREAM, create_connection

+ from socket import SOL_SOCKET, SO_TYPE

+ import base64        # for DER-to-PEM translation

+ import errno

++try:

++    from ipaddr import IPAddress

++except ImportError:

++    # ipaddr is missing. Make ip address cert match functionality to behave as before.

++    def IPAddress(*_args): raise ValueError("Not supported")

+ 

+ if _ssl.HAS_TLS_UNIQUE:

+     CHANNEL_BINDING_TYPES = ['tls-unique']

+@@ -232,7 +237,15 @@ def _dnsname_match(dn, hostname, max_wildcards=1):

+     pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)

+     return pat.match(hostname)

+ 

++def _ipaddress_match(ipname, host_ip):

++    """Exact matching of IP addresses.

+ 

++    RFC 6125 explicitly doesn't define an algorithm for this

++    (section 1.7.2 - "Out of Scope").

++    """

++    # OpenSSL may add a trailing newline to a subjectAltName's IP address

++    ip = IPAddress(ipname.rstrip())

++    return ip == host_ip

+ def match_hostname(cert, hostname):

+     """Verify that *cert* (in decoded format as returned by

+     SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125

+@@ -245,13 +258,24 @@ def match_hostname(cert, hostname):

+         raise ValueError("empty or no certificate, match_hostname needs a "

+                          "SSL socket or SSL context with either "

+                          "CERT_OPTIONAL or CERT_REQUIRED")

++

++    try:

++        host_ip = IPAddress(hostname)

++    except ValueError:

++        # Not an IP address (common case)

++        host_ip = None

++

+     dnsnames = []

+     san = cert.get('subjectAltName', ())

+     for key, value in san:

+         if key == 'DNS':

+-            if _dnsname_match(value, hostname):

++            if host_ip is None and _dnsname_match(value, hostname):

+                 return

+             dnsnames.append(value)

++        elif key == 'IP Address':

++            if host_ip is not None and _ipaddress_match(value, host_ip):

++                 return

++            dnsnames.append(value)

+     if not dnsnames:

+         # The subject is only checked when there is no dNSName entry

+         # in subjectAltName

@@ -1,7 +1,7 @@

 Summary:	A high-level scripting language

 Name:		python2

 Version:	2.7.11

-Release:	5%{?dist}

+Release:	6%{?dist}

 License:	PSF

 URL:		http://www.python.org/

 Group:		System Environment/Programming

@@ -11,6 +11,7 @@ Source0:	http://www.python.org/ftp/python/2.7.11/Python-%{version}.tar.xz

 %define sha1 Python=c3b8bbe3f084c4d4ea13ffb03d75a5e22f9756ff

 Patch0: cgi.patch

 Patch1: added-compiler-flags-for-curses-module.patch

+Patch2: added-pyopenssl-ipaddress-certificate-validation.patch

 BuildRequires:	pkg-config >= 0.28

 BuildRequires:	bzip2-devel

 BuildRequires:  openssl-devel

@@ -99,6 +100,7 @@ to build python programs.

 %setup -q -n Python-%{version}

 %patch0 -p1

 %patch1 -p1

+%patch2 -p1

 %build

 export OPT="${CFLAGS}"

 ./configure \

@@ -215,30 +217,32 @@ rm -rf %{buildroot}/*

 %{_bindir}/idle*

 %changelog

-*	Mon Jun 20 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.11-5

--   	Added stack-protector flag for ncurses module

-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-4

--	GA - Bump release of all rpms

-*  	Tue Apr 26 2016 Nick Shi <nshi@vmware.com> 2.7.11-3

--  	Adding readline module into python2-libs

+*   Wed Sep 7 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.11-6

+-   Added patch to python openssl to validate certificates by ipaddress 

+*   Mon Jun 20 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.11-5

+-   Added stack-protector flag for ncurses module

+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-4

+-   GA - Bump release of all rpms

+*   Tue Apr 26 2016 Nick Shi <nshi@vmware.com> 2.7.11-3

+-   Adding readline module into python2-libs

-*   	Wed Apr 13 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-2

--   	update python to require python-libs

+*   Wed Apr 13 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-2

+-   update python to require python-libs

-*   	Thu Jan 28 2016 Anish Swaminathan <anishs@vmware.com> 2.7.11-1

--   	Upgrade version

+*   Thu Jan 28 2016 Anish Swaminathan <anishs@vmware.com> 2.7.11-1

+-   Upgrade version

-*	Fri Jan 22 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.9-5

--	Seperate python-curses package from python-libs package

+*   Fri Jan 22 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.9-5

+-   Seperate python-curses package from python-libs package

-*	Thu Oct 29 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 2.7.9-4

--	Seperate python-xml package from python-libs package

+*   Thu Oct 29 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 2.7.9-4

+-   Seperate python-xml package from python-libs package

-*	Fri Jun 19 2015 Alexey Makhalov <amakhalov@vmware.com> 2.7.9-3

--	Provide /bin/python

+*   Fri Jun 19 2015 Alexey Makhalov <amakhalov@vmware.com> 2.7.9-3

+-   Provide /bin/python

-*	Wed Jun 3 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-2

--	Adding coreutils package to run time required package

+*   Wed Jun 3 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-2

+-   Adding coreutils package to run time required package

-*	Mon Apr 6 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-1

--	Initial build.	First version

+*   Mon Apr 6 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-1

+-   Initial build.	First version