[Bug 1771988] Re: certificate validation with IP address based SAN's fails

Robie Basak 1771988 at bugs.launchpad.net
Wed Aug 22 13:22:56 UTC 2018 

Hello James, or anyone else affected,

Accepted python-urllib3 into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/python-
urllib3/1.13.1-2ubuntu0.16.04.2 in a few hours, and then in the
-proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: python-urllib3 (Ubuntu Xenial)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1771988

Title:
  certificate validation with IP address based SAN's fails

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  In Progress
Status in python-urllib3 package in Ubuntu:
  Fix Released
Status in python-urllib3 source package in Xenial:
  Fix Committed

Bug description:
  [Impact]
  Users of urllib3 are unable to securely access websites who's certificates use IP based subject alternative names;  this includes openstack client tooling which uses urllib3 via requests.

  [Test Case]
  Deploy and configure a server with TLS and an IP based SAN cert with a locally trusted CA.

  import urllib3

  http = urllib3.PoolManager()
  r = http.request('GET', 'https://192.168.1.2')

  will fail

  [Regression Potential]
  Cherry picked fix comes from a later urllib3 release which has tested fine for IP SAN usage in later OpenStack release deployments.

  [Original Bug Report]
  urllib3 fails to validate certificates with IP address based SAN's.

  Fixed upstream:
  https://github.com/urllib3/urllib3/commit/c74bd70c3a97e30f0560bee9b7fa1bfc767ebf0b

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1771988/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list