Use ssl.match_hostname from urllib3 as it was removed from Python 3.12

hroncok · rcritten · commit 1e14d78eefa8 · 2023-07-05T14:48:03.000-04:00
See https://pagure.io/freeipa/issue/9409 and python/cpython#94224 (comment)
diff --git a/ipalib/x509.py b/ipalib/x509.py
@@ -385,6 +385,8 @@ def san_a_label_dns_names(self):
         return result
 
     def match_hostname(self, hostname):
+        from urllib3.util import ssl_match_hostname
+
         match_cert = {}
 
         match_cert['subject'] = match_subject = []
@@ -401,8 +403,7 @@ def match_hostname(self, hostname):
             for value in values:
                 match_san.append(('DNS', value))
 
-        # deprecated in Python3.7 without replacement
-        ssl.match_hostname(  # pylint: disable=deprecated-method
+        ssl_match_hostname.match_hostname(
             match_cert, DNSName(hostname).ToASCII()
         )
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
@@ -2373,12 +2373,14 @@ def check_ipa_ca_san(cert):
 
     On success returns None, on failure raises ValidationError
     """
+    from urllib3.util import ssl_match_hostname
+
     expect = f'{ipalib.constants.IPA_CA_RECORD}.' \
              f'{ipautil.format_netloc(api.env.domain)}'
 
     try:
         cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except ssl_match_hostname.CertificateError:
         raise errors.ValidationError(
             name='certificate',
             error='Does not have a \'{}\' SAN'.format(expect)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
@@ -710,14 +710,16 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
     steps.
 
     """
+    from urllib3.util import ssl_match_hostname
+
     logger.info('[Adding ipa-ca alias to HTTP certificate]')
 
     expect = f'{IPA_CA_RECORD}.{ipautil.format_netloc(api.env.domain)}'
     cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
 
     try:
         cert.match_hostname(expect)
-    except ssl.CertificateError:
+    except ssl_match_hostname.CertificateError:
         if certs.is_ipa_issued_cert(api, cert):
             request_id = certmonger.get_request_id(
                 {'cert-file': paths.HTTPD_CERT_FILE})
