Python 3.4's entire ssl module was backported to 2.7.9. FreeIPA should try to import match_hostname from the standard library ssl module first, then from backports.ssl_match_hostname if needed. I have created a patch to do this with a try/except block, and also add a macro to the spec file to toggle the requirement on or off.
https://www.python.org/downloads/release/python-279/
attachment freeipa-carlgeorge-0001-optional-backports.ssl_match_hostname.patch
I see a problem here that on a system with python lower than 2.7.9 (F21), python-backports-ssl_match_hostname would not be pulled as the dependency will not be there.
Maybe it would be better to instead add
%if 0%{?fedora} >= 22 ... do the new way with Python 2.7.9 %else Require python-backports-ssl_match_hostname
With Python 2.7.9 and newer you don't need to check the hostname manually. You just have to use a SSLContext with the flag check_hostname=True. I wrote major parts of the code myself, that was backported to 2.7.9. Feel free to ask for advise.
{{{ipalib.plugins.otptoken}}} is the only module that uses Python's ssl module and therefore OpenSSL. I recommend to use {{{ipapython.nsslib.NSSConnection}}} instead of {{{ipalib.plugins.otptoken.HTTPSConnection}}}. That way the dependency on backports.match_hostname can be removed as well.
I agree with Christian, it should use python-nss rather than PyOpenSSL for connectivity.
Ok, let us fix it in next stabilization release.
OK!
FYI I've posted a patch on the mailing list yesterday.
master:
ipa-4-2:
Metadata Update from @carlgeorge: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.