group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1771988] Re: certificate validation with IP address based SAN's fails

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: James Page <james.page@xxxxxxxxxx>
Date: Tue, 21 Aug 2018 06:00:09 -0000
Reply-to: Bug 1771988 <1771988@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marking Newton task as Invalid as urllib3 does not form part of that UCA
pocket (uses version from Xenial).

** Changed in: cloud-archive/mitaka
       Status: Triaged => In Progress

** Changed in: cloud-archive/mitaka
     Assignee: (unassigned) => James Page (james-page)

** Description changed:

  [Impact]
  Users of urllib3 are unable to securely access websites who's certificates use IP based subject alternative names;  this includes openstack client tooling which uses urllib3 via requests.
  
  [Test Case]
  Deploy and configure a server with TLS and an IP based SAN cert with a locally trusted CA.
  
  import urllib3
-   
+ 
  http = urllib3.PoolManager()
  r = http.request('GET', 'https://192.168.1.2')
  
  will fail
- 
  
  [Regression Potential]
  Cherry picked fix comes from a later urllib3 release which has tested fine for IP SAN usage in later OpenStack release deployments.
  
  [Original Bug Report]
  urllib3 fails to validate certificates with IP address based SAN's.
  
  Fixed upstream:
  https://github.com/urllib3/urllib3/commit/c74bd70c3a97e30f0560bee9b7fa1bfc767ebf0b

** Changed in: cloud-archive/newton
       Status: Triaged => Invalid

** No longer affects: cloud-archive/newton

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1771988

Title:
  certificate validation with IP address based SAN's fails

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  In Progress
Status in python-urllib3 package in Ubuntu:
  Fix Released
Status in python-urllib3 source package in Xenial:
  In Progress

Bug description:
  [Impact]
  Users of urllib3 are unable to securely access websites who's certificates use IP based subject alternative names;  this includes openstack client tooling which uses urllib3 via requests.

  [Test Case]
  Deploy and configure a server with TLS and an IP based SAN cert with a locally trusted CA.

  import urllib3

  http = urllib3.PoolManager()
  r = http.request('GET', 'https://192.168.1.2')

  will fail

  [Regression Potential]
  Cherry picked fix comes from a later urllib3 release which has tested fine for IP SAN usage in later OpenStack release deployments.

  [Original Bug Report]
  urllib3 fails to validate certificates with IP address based SAN's.

  Fixed upstream:
  https://github.com/urllib3/urllib3/commit/c74bd70c3a97e30f0560bee9b7fa1bfc767ebf0b

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1771988/+subscriptions