[Python-modules-team] Bug#869896: backports.ssl-match-hostname should be removed for buster

[Felipe Sateler]

On Tue, Oct 2, 2018 at 4:22 PM Felipe Sateler <fsateler at debian.org> wrote:

> Hi Matthias, Ivo,
>
> On Sun, 30 Sep 2018 22:59:26 +0200 Ivo De Decker <ivodd at debian.org> wrote:
> > clone 869896 -1
> > retitle -1 remove unneeded dependency on backports.ssl-match-hostname
> > block 869896 by -1
> > clone -1 -2 -3 -4 -5
> > reassign -1 libcloud
> > reassign -2 python-docker
> > reassign -3 websocket-client
> > reassign -4 docker-compose
> > reassign -5 sagemath
> > thanks
>

Turns out the version of match_hostname in py2 does not accept ip addresses:

py2:
ssl.match_hostname = match_hostname(cert, hostname)
    Verify that *cert* (in decoded format as returned by
    SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
    rules are followed, but IP addresses are not accepted for *hostname*.

    CertificateError is raised on failure. On success, the function
    returns nothing.

py3
ssl.match_hostname = match_hostname(cert, hostname)
    Verify that *cert* (in decoded format as returned by
    SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
    rules are followed.

    The function matches IP addresses rather than dNSNames if hostname is a
    valid ipaddress string. IPv4 addresses are supported on all platforms.
    IPv6 addresses are supported on platforms with IPv6 support (AF_INET6
    and inet_pton).

    CertificateError is raised on failure. On success, the function
    returns nothing.

So, if python2 backport of match_hostname does not match behavior of
python3.5, I cannot drop the dependency. I have reverted the change and
reopened this bug.

I urge you to reconsider if the py2 version really needs to be dropped.

-- 

Saludos,
Felipe Sateler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190111/c06a84cb/attachment.html>