Use ssl.match_hostname from urllib3 as it was removed from Python 3.12

Based on upstream freeipa rawhide patch by Miro Hrončok

See python/cpython#94224 (comment)

Fixes: https://pagure.io/freeipa/issue/9409

Signed-off-by: Rob Crittenden <[email protected]>

Author: hroncok

freeipa.spec.in

@@ -569,7 +569,7 @@ Requires: rpm-libs
 %if 0%{?rhel}
 Requires: python3-urllib3 >= 1.24.2-3
 %else
-Requires: python3-urllib3 >= 1.25.7
+Requires: python3-urllib3 >= 1.25.8
 %endif
 
 %description -n python3-ipaserver
@@ -896,6 +896,12 @@ Requires: platform-python-setuptools
 %else
 Requires: python3-setuptools
 %endif
+# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
+%if 0%{?rhel}
+Requires: python3-urllib3 >= 1.24.2-3
+%else
+Requires: python3-urllib3 >= 1.25.8
+%endif
 
 %description -n python3-ipalib
 IPA is an integrated solution to provide centrally managed Identity (users,

ipalib/x509.py

@@ -36,7 +36,6 @@
 import datetime
 import enum
 import ipaddress
-import ssl
 import base64
 import re
 
@@ -53,6 +52,11 @@
 from pyasn1_modules import rfc2315, rfc2459
 import six
 
+try:
+    from urllib3.util import ssl_match_hostname
+except ImportError:
+    from urllib3.packages import ssl_match_hostname
+
 from ipalib import errors
 from ipapython.dnsutil import DNSName
 
@@ -385,6 +389,7 @@ def san_a_label_dns_names(self):
         return result
 
     def match_hostname(self, hostname):
+        # The caller is expected to catch any exceptions
         match_cert = {}
 
         match_cert['subject'] = match_subject = []
@@ -401,8 +406,7 @@ def match_hostname(self, hostname):
             for value in values:
                 match_san.append(('DNS', value))
 
-        # deprecated in Python3.7 without replacement
-        ssl.match_hostname(  # pylint: disable=deprecated-method
+        ssl_match_hostname.match_hostname(
             match_cert, DNSName(hostname).ToASCII()
         )
 

ipaserver/install/cainstance.py

@@ -30,7 +30,6 @@
 import os
 import re
 import shutil
-import ssl
 import sys
 import syslog
 import time
@@ -2378,7 +2377,7 @@ def check_ipa_ca_san(cert):
 
     try:
         cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except x509.ssl_match_hostname.CertificateError:
         raise errors.ValidationError(
             name='certificate',
             error='Does not have a \'{}\' SAN'.format(expect)

ipaserver/install/server/upgrade.py

@@ -12,7 +12,6 @@
 import glob
 import shutil
 import fileinput
-import ssl
 import stat
 import sys
 import tempfile
@@ -717,7 +716,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
 
     try:
         cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except x509.ssl_match_hostname.CertificateError:
         if certs.is_ipa_issued_cert(api, cert):
             request_id = certmonger.get_request_id(
                 {'cert-file': paths.HTTPD_CERT_FILE})

ipasetup.py.in

@@ -79,6 +79,7 @@ PACKAGE_VERSION = {
     'python-ldap': 'python-ldap >= 3.0.0',
     'python-yubico': 'python-yubico >= 1.2.3',
     'qrcode': 'qrcode >= 5.0',
+    'urllib3': 'urllib3 >= 1.25.8',
 }