[python-glanceclient/f19] Updated patches from f19-patches
Jakub Ruzicka
jruzicka at fedoraproject.org
Tue Aug 13 19:44:40 UTC 2013
commit d04d240acc138954a5fa87abad03a8e52dd0bc35
Author: Jakub Ruzicka <jruzicka at redhat.com>
Date: Tue Aug 13 21:21:54 2013 +0200
Updated patches from f19-patches
0004-Fix-SSL-certificate-CNAME-checking.patch | 133 +++++++++++++++++++++++++
python-glanceclient.spec | 2 +
2 files changed, 135 insertions(+), 0 deletions(-)
---
diff --git a/0004-Fix-SSL-certificate-CNAME-checking.patch b/0004-Fix-SSL-certificate-CNAME-checking.patch
new file mode 100644
index 0000000..0e1f30e
--- /dev/null
+++ b/0004-Fix-SSL-certificate-CNAME-checking.patch
@@ -0,0 +1,133 @@
+From a85c6968b2c9ac652a66460ea4ed200268555761 Mon Sep 17 00:00:00 2001
+From: Thomas Leaman <thomas.leaman at hp.com>
+Date: Tue, 18 Jun 2013 15:34:45 +0000
+Subject: [PATCH] Fix SSL certificate CNAME checking
+
+Currently, accessing a host via ip address will pass SSL verification;
+the CNAME is not checked as intended as part of verify_callback.
+
+'preverify_ok is True' will always return false (int/bool comparison).
+preverify_ok will be 1 if preverification has passed.
+
+Fixes bug 1192229
+
+Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
+(cherry picked from commit 822cd64c0718b46a065abbb8709f6b466d12e708)
+---
+ glanceclient/common/http.py | 4 ++-
+ tests/test_ssl.py | 61 +++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 56 insertions(+), 9 deletions(-)
+
+diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py
+index 7146ace..4401e82 100644
+--- a/glanceclient/common/http.py
++++ b/glanceclient/common/http.py
+@@ -317,11 +317,13 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
+
+ def verify_callback(self, connection, x509, errnum,
+ depth, preverify_ok):
++ # NOTE(leaman): preverify_ok may be a non-boolean type
++ preverify_ok = bool(preverify_ok)
+ if x509.has_expired():
+ msg = "SSL Certificate expired on '%s'" % x509.get_notAfter()
+ raise exc.SSLCertificateError(msg)
+
+- if depth == 0 and preverify_ok is True:
++ if depth == 0 and preverify_ok:
+ # We verify that the host matches against the last
+ # certificate in the chain
+ return self.host_matches_cert(self.host, x509)
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 8ee179f..feb165c 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -125,8 +125,8 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
+ self.assertEqual(cert.get_subject().commonName, '0.0.0.0')
+ try:
+ conn = http.VerifiedHTTPSConnection('0.0.0.0', 0)
+- conn.verify_callback(None, cert, 0, 0, True)
+- except:
++ conn.verify_callback(None, cert, 0, 0, 1)
++ except Exception:
+ self.fail('Unexpected exception.')
+
+ def test_ssl_cert_subject_alt_name(self):
+@@ -140,14 +140,14 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
+ self.assertEqual(cert.get_subject().commonName, '0.0.0.0')
+ try:
+ conn = http.VerifiedHTTPSConnection('alt1.example.com', 0)
+- conn.verify_callback(None, cert, 0, 0, True)
+- except:
++ conn.verify_callback(None, cert, 0, 0, 1)
++ except Exception:
+ self.fail('Unexpected exception.')
+
+ try:
+ conn = http.VerifiedHTTPSConnection('alt2.example.com', 0)
+- conn.verify_callback(None, cert, 0, 0, True)
+- except:
++ conn.verify_callback(None, cert, 0, 0, 1)
++ except Exception:
+ self.fail('Unexpected exception.')
+
+ def test_ssl_cert_mismatch(self):
+@@ -165,7 +165,7 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
+ self.fail('Failed to init VerifiedHTTPSConnection.')
+
+ self.assertRaises(exc.SSLCertificateError,
+- conn.verify_callback, None, cert, 0, 0, True)
++ conn.verify_callback, None, cert, 0, 0, 1)
+
+ def test_ssl_expired_cert(self):
+ """
+@@ -183,4 +183,49 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
+ self.fail('Failed to init VerifiedHTTPSConnection.')
+
+ self.assertRaises(exc.SSLCertificateError,
+- conn.verify_callback, None, cert, 0, 0, True)
++ conn.verify_callback, None, cert, 0, 0, 1)
++
++ def test_ssl_broken_key_file(self):
++ """
++ Test verify exception is raised.
++ """
++ cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
++ cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
++ key_file = 'fake.key'
++ self.assertRaises(
++ exc.SSLConfigurationError,
++ http.VerifiedHTTPSConnection, '127.0.0.1',
++ 0, key_file=key_file,
++ cert_file=cert_file, cacert=cacert)
++
++ def test_ssl_init_ok_with_insecure_true(self):
++ """
++ Test VerifiedHTTPSConnection class init
++ """
++ key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
++ cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
++ cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
++ try:
++ conn = http.VerifiedHTTPSConnection(
++ '127.0.0.1', 0,
++ key_file=key_file,
++ cert_file=cert_file,
++ cacert=cacert, insecure=True)
++ except exc.SSLConfigurationError:
++ self.fail('Failed to init VerifiedHTTPSConnection.')
++
++ def test_ssl_init_ok_with_ssl_compression_false(self):
++ """
++ Test VerifiedHTTPSConnection class init
++ """
++ key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
++ cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
++ cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
++ try:
++ conn = http.VerifiedHTTPSConnection(
++ '127.0.0.1', 0,
++ key_file=key_file,
++ cert_file=cert_file,
++ cacert=cacert, ssl_compression=False)
++ except exc.SSLConfigurationError:
++ self.fail('Failed to init VerifiedHTTPSConnection.')
diff --git a/python-glanceclient.spec b/python-glanceclient.spec
index b52b364..60fd353 100644
--- a/python-glanceclient.spec
+++ b/python-glanceclient.spec
@@ -15,6 +15,7 @@ Source0: https://pypi.python.org/packages/source/p/%{name}/%{name}-%{ve
Patch0001: 0001-Fix-problem-running-glance-version.patch
Patch0002: 0002-Fix-glance-add-parsing-of-copy_from-option.patch
Patch0003: 0003-bug-1166263-image-update-handling-for-closed-stdin.patch
+Patch0004: 0004-Fix-SSL-certificate-CNAME-checking.patch
BuildArch: noarch
BuildRequires: python-setuptools
@@ -37,6 +38,7 @@ glanceclient module), and a command-line script (glance). Each implements
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
+%patch0004 -p1
# Remove bundled egg-info
rm -rf python_glanceclient.egg-info
More information about the scm-commits
mailing list