From Dan Kenigsberg <danken(a)redhat.com>:
Dan Kenigsberg has posted comments on this change.
Change subject: ssl: client cert check for IPv4 mapped addresses
......................................................................
Patch Set 9:
(3 comments)
https://gerrit.ovirt.org/#/c/76197/9/lib/vdsm/sslutils.py
File lib/vdsm/sslutils.py:
PS9, Line 255: [0]
unrelated, but we should replace this with
return any(cert_common_name.lower() == hostname.lower() for hostname in
socket.gethostbyaddr(src_addr))
to allow hosts with multiple names.
Line 254: return (cert_common_name.lower() ==
Line 255: socket.gethostbyaddr(src_addr)[0].lower())
Line 256:
Line 257: @staticmethod
Line 258: def _ip_address_normalization(addr):
nit: functions should better be named as verbs, e.g. normalize_ip_address, not nouns.
Line 259: """
Line 260: When we used mapped ipv4 (starting with ::FFFF/96) we need to
Line 261: normalize it to ipv4 in order to compare it with value used
Line 262: in commonName in the certificate.
Line 265: ip = IPAddress(addr)
Line 266: if ip.is_ipv4_mapped():
Line 267: addr = str(ip.ipv4())
Line 268: except AddrFormatError:
Line 269: # used name not address
this applies only to cert_common_name, never to src_name.
I think this exception-andling should be taken to compare_names, which should run
return (cert_common_name.lower() ==
socket.gethostbyaddr(src_addr)[0].lower())
in the "except" clause.
Line 270: pass
Line 271:
Line 272: return addr
Line 273:
--
To view, visit
https://gerrit.ovirt.org/76197
To unsubscribe, visit
https://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: Ic012664db7181ab703ec4de53a0ba7c225bb73f9
Gerrit-PatchSet: 9
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Piotr Kliczewski <piotr.kliczewski(a)gmail.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Edward Haas <edwardh(a)redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Piotr Kliczewski <piotr.kliczewski(a)gmail.com>
Gerrit-Reviewer: gerrit-hooks <automation(a)ovirt.org>
Gerrit-HasComments: Yes