commit 9a543a81acb808e4275765da7ff0f613109b6603
author aojeagarcia <aojeagarcia@suse.com> Fri Sep 28 08:55:49 2018 +0200
committer Antonio Ojea <itsuugo@gmail.com> Sun Oct 07 21:21:12 2018 +0000
tree 7080c74347342c76fe148aac48ed1a8d3b6a3bca
parent 02ca8da102798608599f8e4adb7b1dc890a6f124

Don't use ipv6 for DNS SAN fields with python3

Python2 match routines for x509 fields are broken and have to use
the DNS field for ip addresses.

The problem is that if you use ipv6 addresses in the DNS field,
urllib3 fails when trying to encode it.

Since python3 match routines for x509 fields are correct, this patch
disables the hack for python3, encoding the ip address in the
corresponding field only of the certificate.

Partial-Bug: #1794929
Depends-On: https://review.openstack.org/#/c/608468

Change-Id: I7b9cb15ccfa181648afb12be51ee48bed14f9156
Signed-off-by: aojeagarcia <aojeagarcia@suse.com>

lib/tls

diff --git a/lib/tls b/lib/tls
index e3ed3cc..217f40e 100644
--- a/lib/tls
+++ b/lib/tls
@@ -227,9 +227,13 @@
 function init_cert {
     if [[ ! -r $DEVSTACK_CERT ]]; then
         if [[ -n "$TLS_IP" ]]; then
-            # Lie to let incomplete match routines work
-            # see https://bugs.python.org/issue23239
-            TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            if python3_enabled; then
+                TLS_IP="IP:$TLS_IP"
+            else
+                # Lie to let incomplete match routines work with python2
+                # see https://bugs.python.org/issue23239
+                TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            fi
         fi
         make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"