Change in vdsm[master]: ssl: client cert check for IPv4 mapped addresses

Monday, 1 May 2017

From Dan Kenigsberg <danken(a)redhat.com&gt;:

Dan Kenigsberg has posted comments on this change.

Change subject: ssl: client cert check for IPv4 mapped addresses
......................................................................

Patch Set 9:

(3 comments)

https://gerrit.ovirt.org/#/c/76197/9/lib/vdsm/sslutils.py
File lib/vdsm/sslutils.py:

PS9, Line 255: [0]
unrelated, but we should replace this with

  return any(cert_common_name.lower() == hostname.lower() for hostname in
socket.gethostbyaddr(src_addr))

to allow hosts with multiple names.

Line 254:             return (cert_common_name.lower() ==
Line 255:                     socket.gethostbyaddr(src_addr)[0].lower())
Line 256: 
Line 257:     @staticmethod
Line 258:     def _ip_address_normalization(addr):
nit: functions should better be named as verbs, e.g. normalize_ip_address, not nouns.
Line 259:         """
Line 260:         When we used mapped ipv4 (starting with ::FFFF/96) we need to
Line 261:         normalize it to ipv4 in order to compare it with value used
Line 262:         in commonName in the certificate.

Line 265:             ip = IPAddress(addr)
Line 266:             if ip.is_ipv4_mapped():
Line 267:                 addr = str(ip.ipv4())
Line 268:         except AddrFormatError:
Line 269:             # used name not address
this applies only to cert_common_name, never to src_name.

I think this exception-andling should be taken to compare_names, which should run

 return (cert_common_name.lower() ==
         socket.gethostbyaddr(src_addr)[0].lower())

in the "except" clause.
Line 270:             pass
Line 271: 
Line 272:         return addr
Line 273: 

-- 
To view, visit https://gerrit.ovirt.org/76197
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ic012664db7181ab703ec4de53a0ba7c225bb73f9
Gerrit-PatchSet: 9
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Piotr Kliczewski <piotr.kliczewski(a)gmail.com&gt;
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com&gt;
Gerrit-Reviewer: Edward Haas <edwardh(a)redhat.com&gt;
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Piotr Kliczewski <piotr.kliczewski(a)gmail.com&gt;
Gerrit-Reviewer: gerrit-hooks <automation(a)ovirt.org&gt;
Gerrit-HasComments: Yes

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011