[Bug 1771988] Re: certificate validation with IP address based SAN's fails
Eric Desrochers
eric.desrochers at canonical.com
Tue Aug 28 17:05:53 UTC 2018
This has been brought to my attention by a user impacted by this bug:
"We tested the package in xenial-proposed and it worked great, thanks".
- Eric
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1771988
Title:
certificate validation with IP address based SAN's fails
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive mitaka series:
In Progress
Status in python-urllib3 package in Ubuntu:
Fix Released
Status in python-urllib3 source package in Xenial:
Fix Committed
Bug description:
[Impact]
Users of urllib3 are unable to securely access websites who's certificates use IP based subject alternative names; this includes openstack client tooling which uses urllib3 via requests.
[Test Case]
Deploy and configure a server with TLS and an IP based SAN cert with a locally trusted CA.
import urllib3
http = urllib3.PoolManager()
r = http.request('GET', 'https://192.168.1.2')
will fail
[Regression Potential]
Cherry picked fix comes from a later urllib3 release which has tested fine for IP SAN usage in later OpenStack release deployments.
[Original Bug Report]
urllib3 fails to validate certificates with IP address based SAN's.
Fixed upstream:
https://github.com/urllib3/urllib3/commit/c74bd70c3a97e30f0560bee9b7fa1bfc767ebf0b
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1771988/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list