From Dan Kenigsberg <danken(a)redhat.com>:
Dan Kenigsberg has posted comments on this change.
Change subject: ssl: client cert check for IPv4 mapped addresses
......................................................................
Patch Set 5: Code-Review+1
(1 comment)
https://gerrit.ovirt.org/#/c/76197/5/tests/ssl_test.py
File tests/ssl_test.py:
Line 300: '10.0.0.1', 'example.com'))
Line 301:
Line 302: def test_mapped_address(self):
Line 303: self.assertTrue(SSLHandshakeDispatcher.compare_names(
Line 304: '::ffff:127.0.0.1', '127.0.0.1'))
aha. but what if it is the other way around, and the certificate is produced with a
ipv6-mapped ipv4 address?
We have to canonize both before we do the comparison. Still this patch is a step forward.
Line 305:
Line 306: @mock.patch('vdsm.sslutils.socket.gethostbyaddr', return_value=(
Line 307: 'evil.imposter.com', [], ['11.0.0.1']))
Line 308: def test_imposter(self, mock_gethostbyaddr):
--
To view, visit
https://gerrit.ovirt.org/76197
To unsubscribe, visit
https://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: Ic012664db7181ab703ec4de53a0ba7c225bb73f9
Gerrit-PatchSet: 5
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Piotr Kliczewski <piotr.kliczewski(a)gmail.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Edward Haas <edwardh(a)redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Piotr Kliczewski <piotr.kliczewski(a)gmail.com>
Gerrit-Reviewer: gerrit-hooks <automation(a)ovirt.org>
Gerrit-HasComments: Yes