#5068 backports.ssl_match_hostname should be optional
Closed: Fixed None Opened 9 years ago by carlgeorge.

Python 3.4's entire ssl module was backported to 2.7.9. FreeIPA should try to import match_hostname from the standard library ssl module first, then from backports.ssl_match_hostname if needed. I have created a patch to do this with a try/except block, and also add a macro to the spec file to toggle the requirement on or off.

https://www.python.org/downloads/release/python-279/


I see a problem here that on a system with python lower than 2.7.9 (F21), python-backports-ssl_match_hostname would not be pulled as the dependency will not be there.

Maybe it would be better to instead add

%if 0%{?fedora} >= 22
... do the new way with Python 2.7.9
%else
Require python-backports-ssl_match_hostname

With Python 2.7.9 and newer you don't need to check the hostname manually. You just have to use a SSLContext with the flag check_hostname=True. I wrote major parts of the code myself, that was backported to 2.7.9. Feel free to ask for advise.

{{{ipalib.plugins.otptoken}}} is the only module that uses Python's ssl module and therefore OpenSSL. I recommend to use {{{ipapython.nsslib.NSSConnection}}} instead of {{{ipalib.plugins.otptoken.HTTPSConnection}}}. That way the dependency on backports.match_hostname can be removed as well.

I agree with Christian, it should use python-nss rather than PyOpenSSL for connectivity.

Ok, let us fix it in next stabilization release.

OK!

FYI I've posted a patch on the mailing list yesterday.

master:

  • 3c974c1 otptoken: use ipapython.nsslib instead of Python's ssl module

ipa-4-2:

  • 4fe3bd1 otptoken: use ipapython.nsslib instead of Python's ssl module

Metadata Update from @carlgeorge:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Log in to comment on this ticket.

Metadata