From 9a543a81acb808e4275765da7ff0f613109b6603 Mon Sep 17 00:00:00 2001
From: aojeagarcia <aojeagarcia@suse.com>
Date: Fri, 28 Sep 2018 08:55:49 +0200
Subject: [PATCH] Don't use ipv6 for DNS SAN fields with python3

Python2 match routines for x509 fields are broken and have to use
the DNS field for ip addresses.

The problem is that if you use ipv6 addresses in the DNS field,
urllib3 fails when trying to encode it.

Since python3 match routines for x509 fields are correct, this patch
disables the hack for python3, encoding the ip address in the
corresponding field only of the certificate.

Partial-Bug: #1794929
Depends-On: https://review.openstack.org/#/c/608468

Change-Id: I7b9cb15ccfa181648afb12be51ee48bed14f9156
Signed-off-by: aojeagarcia <aojeagarcia@suse.com>
---
 lib/tls | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/tls b/lib/tls
index e3ed3cc2ac..217f40e3a5 100644
--- a/lib/tls
+++ b/lib/tls
@@ -227,9 +227,13 @@ function init_CA {
 function init_cert {
     if [[ ! -r $DEVSTACK_CERT ]]; then
         if [[ -n "$TLS_IP" ]]; then
-            # Lie to let incomplete match routines work
-            # see https://bugs.python.org/issue23239
-            TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            if python3_enabled; then
+                TLS_IP="IP:$TLS_IP"
+            else
+                # Lie to let incomplete match routines work with python2
+                # see https://bugs.python.org/issue23239
+                TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
+            fi
         fi
         make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"