Glance Client

SSL verification fails with wildcard certs

Bug #1212463 reported by Brian Waldon
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance Client
Fix Released
Undecided
Brian Waldon

Bug Description

Using python-glanceclient v0.10.0, I get the following error when talking to my SSL Glance endpoint using a wildcard cert:

$ glance image-list
00:03:30 Host "proxy.example.com" does not match x509 certificate contents: CommonName "*.example.com", subjectAltName "DNS:*.example.com, DNS:example.com"

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-glanceclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/42022

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-glanceclient (master)

Reviewed: https://review.openstack.org/42022
Committed: http://github.com/openstack/python-glanceclient/commit/683e40fd31d791683e272555485b9eef1400752a
Submitter: Jenkins
Branch: master

commit 683e40fd31d791683e272555485b9eef1400752a
Author: Brian Waldon <email address hidden>
Date: Wed Aug 14 15:37:45 2013 -0700

    Allow single-wildcard SSL common name matching

    Fix bug 1212463

    Change-Id: I168601fd9847497c2261c77ce6c856bca187c6c8

Louis Taylor (kragniz)
Changed in python-glanceclient:
status: New → Fix Released
Revision history for this message
6meon (simeon-gourlin) wrote :

I have similar problem on python-glanceclient 0.12.0, with a certificate where wildcard is in "subjectAltName".

$ glance image-list
00:03:30 Host "proxy.example.org" does not match x509 certificate contents: CommonName "*.example.com", subjectAltName "DNS:*.example.com, DNS:example.com, DNS:*.example.org, DNS:example.org"

Small patch for this :
--- glanceclient/common/http.py.ori 2013-11-15 18:00:29.000000000 +0100
+++ glanceclient/common/http.py 2014-09-22 16:09:07.090590900 +0200
@@ -363,6 +363,9 @@
                 for san in ''.join(san_list.split()).split(','):
                     if san == "DNS:%s" % host:
                         return True
+ if san.startswith('DNS:*.') and san.find('.') > 0:
+ if san[6:] == san.split('.', 1)[1]:
+ return True

         # Server certificate does not match host
         msg = ('Host "%s" does not match x509 certificate contents: '

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.