Control: severity 909974 important On Fri, Jan 11, 2019 at 10:15 AM Felipe Sateler <fsate...@debian.org> wrote:
> > > On Tue, Oct 2, 2018 at 4:22 PM Felipe Sateler <fsate...@debian.org> wrote: > >> Hi Matthias, Ivo, >> >> On Sun, 30 Sep 2018 22:59:26 +0200 Ivo De Decker <iv...@debian.org> >> wrote: >> > clone 869896 -1 >> > retitle -1 remove unneeded dependency on backports.ssl-match-hostname >> > block 869896 by -1 >> > clone -1 -2 -3 -4 -5 >> > reassign -1 libcloud >> > reassign -2 python-docker >> > reassign -3 websocket-client >> > reassign -4 docker-compose >> > reassign -5 sagemath >> > thanks >> > > Turns out the version of match_hostname in py2 does not accept ip > addresses: > > py2: > ssl.match_hostname = match_hostname(cert, hostname) > Verify that *cert* (in decoded format as returned by > SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 > rules are followed, but IP addresses are not accepted for *hostname*. > > CertificateError is raised on failure. On success, the function > returns nothing. > > py3 > ssl.match_hostname = match_hostname(cert, hostname) > Verify that *cert* (in decoded format as returned by > SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 > rules are followed. > > The function matches IP addresses rather than dNSNames if hostname is a > valid ipaddress string. IPv4 addresses are supported on all platforms. > IPv6 addresses are supported on platforms with IPv6 support (AF_INET6 > and inet_pton). > > CertificateError is raised on failure. On success, the function > returns nothing. > > So, if python2 backport of match_hostname does not match behavior of > python3.5, I cannot drop the dependency. I have reverted the change and > reopened this bug. > > I urge you to reconsider if the py2 version really needs to be dropped. > > I'm downgrading severity to prevent autoremoval. I don't think ssl-match-hostname can be dropped from buster. -- Saludos, Felipe Sateler