[Python-modules-team] Bug#869896: Bug#909974: backports.ssl-match-hostname should be removed for buster

Felipe Sateler fsateler at debian.org
Sat Jan 19 18:39:44 GMT 2019 

Control: severity 909974 important

On Fri, Jan 11, 2019 at 10:15 AM Felipe Sateler <fsateler at debian.org> wrote:

>
>
> On Tue, Oct 2, 2018 at 4:22 PM Felipe Sateler <fsateler at debian.org> wrote:
>
>> Hi Matthias, Ivo,
>>
>> On Sun, 30 Sep 2018 22:59:26 +0200 Ivo De Decker <ivodd at debian.org>
>> wrote:
>> > clone 869896 -1
>> > retitle -1 remove unneeded dependency on backports.ssl-match-hostname
>> > block 869896 by -1
>> > clone -1 -2 -3 -4 -5
>> > reassign -1 libcloud
>> > reassign -2 python-docker
>> > reassign -3 websocket-client
>> > reassign -4 docker-compose
>> > reassign -5 sagemath
>> > thanks
>>
>
> Turns out the version of match_hostname in py2 does not accept ip
> addresses:
>
> py2:
> ssl.match_hostname = match_hostname(cert, hostname)
>     Verify that *cert* (in decoded format as returned by
>     SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
>     rules are followed, but IP addresses are not accepted for *hostname*.
>
>     CertificateError is raised on failure. On success, the function
>     returns nothing.
>
> py3
> ssl.match_hostname = match_hostname(cert, hostname)
>     Verify that *cert* (in decoded format as returned by
>     SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
>     rules are followed.
>
>     The function matches IP addresses rather than dNSNames if hostname is a
>     valid ipaddress string. IPv4 addresses are supported on all platforms.
>     IPv6 addresses are supported on platforms with IPv6 support (AF_INET6
>     and inet_pton).
>
>     CertificateError is raised on failure. On success, the function
>     returns nothing.
>
> So, if python2 backport of match_hostname does not match behavior of
> python3.5, I cannot drop the dependency. I have reverted the change and
> reopened this bug.
>
> I urge you to reconsider if the py2 version really needs to be dropped.
>
>
I'm downgrading severity to prevent autoremoval. I don't think
ssl-match-hostname can be dropped from buster.
-- 

Saludos,
Felipe Sateler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190119/74610b0f/attachment.html>

More information about the Python-modules-team mailing list