follow-up: THRIFT-3599 Validate client IP address against cert's SubjectAltName
Client: Python
Patch: Nobuaki Sukegawa
Fix required version of Python or dependency
This closes #914
diff --git a/lib/py/requirements.txt b/lib/py/requirements.txt
index 7cf8b31..2254a28 100644
--- a/lib/py/requirements.txt
+++ b/lib/py/requirements.txt
@@ -1,3 +1,3 @@
six
-backports.ssl_match_hostname
+backports.ssl_match_hostname >= 3.5
ipaddress
diff --git a/lib/py/src/transport/TSSLSocket.py b/lib/py/src/transport/TSSLSocket.py
index e57a0d4..12bc356 100644
--- a/lib/py/src/transport/TSSLSocket.py
+++ b/lib/py/src/transport/TSSLSocket.py
@@ -385,8 +385,8 @@
self._validate_callback(client.peercert, addr[0])
client.is_valid = True
except Exception:
- logger.warn('Failed to validate client certificate address',
- exc_info=True)
+ logger.warn('Failed to validate client certificate address: %s',
+ addr[0], exc_info=True)
client.close()
plain_client.close()
return None
diff --git a/lib/py/src/transport/sslcompat.py b/lib/py/src/transport/sslcompat.py
index 2d778d2..19cfaca 100644
--- a/lib/py/src/transport/sslcompat.py
+++ b/lib/py/src/transport/sslcompat.py
@@ -17,6 +17,8 @@
# under the License.
#
+import sys
+
from thrift.transport.TTransport import TTransportException
@@ -69,9 +71,10 @@
from backports.ssl_match_hostname import match_hostname
_match_hostname = match_hostname
except ImportError:
+ if sys.hexversion < 0x030500F0:
+ _match_has_ipaddress = False
try:
from ssl import match_hostname
_match_hostname = match_hostname
except ImportError:
_match_hostname = legacy_validate_callback
- _match_has_ipaddress = False