SSL verification fails with wildcard certs

Bug #1212463 reported by Brian Waldon on 2013-08-14
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-glanceclient
Undecided
Brian Waldon

Bug Description

Using python-glanceclient v0.10.0, I get the following error when talking to my SSL Glance endpoint using a wildcard cert:

$ glance image-list
00:03:30 Host "proxy.example.com" does not match x509 certificate contents: CommonName "*.example.com", subjectAltName "DNS:*.example.com, DNS:example.com"

Reviewed: https://review.openstack.org/42022
Committed: http://github.com/openstack/python-glanceclient/commit/683e40fd31d791683e272555485b9eef1400752a
Submitter: Jenkins
Branch: master

commit 683e40fd31d791683e272555485b9eef1400752a
Author: Brian Waldon <email address hidden>
Date: Wed Aug 14 15:37:45 2013 -0700

    Allow single-wildcard SSL common name matching

    Fix bug 1212463

    Change-Id: I168601fd9847497c2261c77ce6c856bca187c6c8

Louis Taylor (kragniz) on 2014-09-12
Changed in python-glanceclient:
status: New → Fix Released
6meon (simeon-gourlin) wrote :

I have similar problem on python-glanceclient 0.12.0, with a certificate where wildcard is in "subjectAltName".

$ glance image-list
00:03:30 Host "proxy.example.org" does not match x509 certificate contents: CommonName "*.example.com", subjectAltName "DNS:*.example.com, DNS:example.com, DNS:*.example.org, DNS:example.org"

Small patch for this :
--- glanceclient/common/http.py.ori 2013-11-15 18:00:29.000000000 +0100
+++ glanceclient/common/http.py 2014-09-22 16:09:07.090590900 +0200
@@ -363,6 +363,9 @@
                 for san in ''.join(san_list.split()).split(','):
                     if san == "DNS:%s" % host:
                         return True
+ if san.startswith('DNS:*.') and san.find('.') > 0:
+ if san[6:] == san.split('.', 1)[1]:
+ return True

         # Server certificate does not match host
         msg = ('Host "%s" does not match x509 certificate contents: '

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers