certificate validation with IP address based SAN's fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Mitaka |
Fix Released
|
High
|
James Page | ||
python-urllib3 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
James Page |
Bug Description
[Impact]
Users of urllib3 are unable to securely access websites who's certificates use IP based subject alternative names; this includes openstack client tooling which uses urllib3 via requests.
[Test Case]
Deploy and configure a server with TLS and an IP based SAN cert with a locally trusted CA.
import urllib3
http = urllib3.
r = http.request('GET', 'https:/
will fail
[Regression Potential]
Cherry picked fix comes from a later urllib3 release which has tested fine for IP SAN usage in later OpenStack release deployments.
[Original Bug Report]
urllib3 fails to validate certificates with IP address based SAN's.
Fixed upstream: https:/
Changed in python-urllib3 (Ubuntu): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in python-urllib3 (Ubuntu Xenial): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in cloud-archive: | |
status: | New → Fix Released |
description: | updated |
Changed in python-urllib3 (Ubuntu Xenial): | |
assignee: | nobody → James Page (james-page) |
status: | Triaged → Fix Released |
description: | updated |
Changed in python-urllib3 (Ubuntu Xenial): | |
status: | Fix Released → In Progress |
tags: | added: sts |
Affects OpenStack releases <= Newton
This spec can be used to verify: https:/ /github. com/openstack- charmers/ openstack- mojo-specs/ pull/13