ssl wildcat is not support

[bacnv]

Describe the bug
I can't connect to RethinkDB using wildcat ssl

To Reproduce

1. TODO
   Change hostname at match_hostname to wilcat and have a arg to check wildcat

Expected behavior

match_hostname(self._socket.getpeercert(), hostname="*."+(self.host.split('.', 1)[-1]))

Screenshots

System info

• OS: macOS Mojave 10.14.3
• RethinkDB Version: 2.3.6
• Python client version: 2.4.2.post1

[gabor-boros]

@bacnv Thank you for reporting the issue. I’ll check this as soon as I can and I’ll inform you what I found

[gabor-boros]

@bacnv I'll try to fix this issue tomorrow

[gabor-boros]

@bacnv I'm really sorry! I was not able to get back to this issue until now. I made some changes at #140. Could you please confirm this resolves the issue?

[gabor-boros]

#140 is merged. The changes will be deployed on Sept. 30. If you have any issue with wildcard certs by using the latest master / newest package ( after sept. 30) please reopen this issue and ping me.

[gabor-boros]

@bacnv based on @srh's recognition (#140 (comment)) could you please provide a stack trace for me what is the hostnameand output of self._socket.getpeercert() on your side? I think the original issue is that your ca cert is wrong.

Please note that I'll revert that change if the issue is on your side, because as Sam mentioned it should work, also I checked it again (I do not know what I checked in the past...) and it works.

>>> cert = {'subject': ((('commonName', '*.example.co.uk'),),)}
>>> ssl.match_hostname(cert, "www.example.co.uk")
>>>

[bacnv]

I removed old lib and re-installed, And then debug again and It pass with RethinkDB Version: 2.3.5 (I downgrade from 2.3.6 to 2.3.5 because something) with Python client version: 2.4.2.post1. And all pass. I don't know why...
I'm so sorry for disturbing you :(

[atomicules]

Hi. Stumbled across this issue. Fwiw I think 2.4.4 actually broke things:

2.4.3

/Users/me $ pip3.7 install --user rethinkdb==2.4.3
Requirement already satisfied: rethinkdb==2.4.3 in ./.local/lib/python3.7/site-packages (2.4.3)
Requirement already satisfied: six in ./.local/lib/python3.7/site-packages (from rethinkdb==2.4.3) (1.11.0)
/Users/me $ rlwrap python3.7                      
Python 3.7.0 (default, Oct  1 2018, 20:41:05) 
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from rethinkdb import RethinkDB
>>> r = RethinkDB()
>>> conn = r.connect(host='aws-eu-central-1-portal.0.dblayer.com',
... port=18079,
... auth_key='REDACTED',
... ssl={'ca_certs': 'ca.cert'})
>>> dbs=r.db_list().run(conn)
>>> print(dbs)  
['rethinkdb']

2.4.4

/Users/me $ pip3.7 install --user rethinkdb==2.4.4
Collecting rethinkdb==2.4.4
  Using cached https://files.pythonhosted.org/packages/79/c6/1938e2e1671052428b4ec8169afddf1c33d0bf226a503c3bb725abb7d8ee/rethinkdb-2.4.4-py2.py3-none-any.whl
Requirement already satisfied: six in ./.local/lib/python3.7/site-packages (from rethinkdb==2.4.4) (1.11.0)
Installing collected packages: rethinkdb
  Found existing installation: rethinkdb 2.4.3
    Uninstalling rethinkdb-2.4.3:
      Successfully uninstalled rethinkdb-2.4.3
Successfully installed rethinkdb-2.4.4
/Users/me $ rlwrap python3.7                      
Python 3.7.0 (default, Oct  1 2018, 20:41:05) 
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from rethinkdb import RethinkDB
>>> r = RethinkDB()
>>> conn = r.connect(host='aws-eu-central-1-portal.0.dblayer.com',
... port=18079,
... auth_key='REDACTED',
... ssl={'ca_certs': 'ca.cert'})
[Errno 9] Bad file descriptor
Traceback (most recent call last):
  File "/Users/me/.local/lib/python3.7/site-packages/rethinkdb/net.py", line 358, in __init__
    hostname=get_hostname_for_ssl_match(self.host)
  File "/opt/pkg/lib/python3.7/ssl.py", line 327, in match_hostname
    % (hostname, dnsnames[0]))
ssl.SSLCertVerificationError: ("hostname '*.0.dblayer.com' doesn't match 'aws-eu-central-1-portal.0.dblayer.com'",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 4, in <module>
  File "/Users/me/.local/lib/python3.7/site-packages/rethinkdb/__init__.py", line 85, in connect
    return self.make_connection(self.connection_type, *args, **kwargs)
  File "/Users/me/.local/lib/python3.7/site-packages/rethinkdb/net.py", line 739, in make_connection
    return conn.reconnect(timeout=timeout)
  File "/Users/me/.local/lib/python3.7/site-packages/rethinkdb/net.py", line 633, in reconnect
    return self._instance.connect(timeout)
  File "/Users/me/.local/lib/python3.7/site-packages/rethinkdb/net.py", line 491, in connect
    self._socket = SocketWrapper(self, timeout)
  File "/Users/me/.local/lib/python3.7/site-packages/rethinkdb/net.py", line 397, in __init__
    (self.host, self.port, str(ex)))
rethinkdb.errors.ReqlDriverError: Could not connect to aws-eu-central-1-portal.0.dblayer.com:18079. Error: ("hostname '*.0.dblayer.com' doesn't match 'aws-eu-central-1-portal.0.dblayer.com'",)

This is on:

• macOS 10.15
• python installed via pkgsrc
• A Compose 2.3.6 RethinkDB

[srh]

Edit: This comment is all wrong because I read the version numbers wrong.

The diff, for reference, with the changes in the driver/python folder being relevant: https://github.com/rethinkdb/rethinkdb/compare/v2.3.3..v2.3.4

Notably, in net.py: https://github.com/rethinkdb/rethinkdb/compare/v2.3.3..v2.3.4#diff-d73ba4e9a072dff9a19fe841ca493c8f

A second set of eyes would be nice, but the most eye-catching change is 7c9c68549d31986317c382458e9cbce0a6d62a92.

I don't know what that does or how that might break (or allegedly, fix) things.

[gabor-boros]

@srh @atomicules I had no time to validate this, but my guess is that #140 breaking the things with the wildcard thing what I did by "mistake". By mistake I mean it was a mistake to do that at all. Reverting that PR should solve the issue.

What do you think @srh? I think that the ssl.SSLCertVerificationError and '*.0.dblayer.com' doesn't match 'aws-eu-central-1-portal.0.dblayer.com' is clearly related to this change. I'll be back in 3-4 hours and I'll do the revert of change and pypi release if you have no concerns.

Sorry for the noise @atomicules!

[srh]

Oh, my, I'm a moron. I read @atomicules's comment as 2.3.3 vs 2.3.4, so my previous post is all nonsense.

[gabor-boros]

I just arrived home and I'll be not able to do the release and revert. This will be my first thing tomorrow morning! I'm so sorry 😞

[gabor-boros]

Revert PR : #150

[gabor-boros]

@atomicules could you please try it now with2.4.4.post1?

[atomicules]

Sure... it looks good to me:

/Users/me $ pip3.7 install --user rethinkdb==2.4.4.post1
Collecting rethinkdb==2.4.4.post1
  Downloading https://files.pythonhosted.org/packages/d6/83/2d1932d0a61016c21466ec9cce97d1783fd20c7104dd2420a239bb13d41b/rethinkdb-2.4.4.post1-py2.py3-none-any.whl (155kB)
    100% |████████████████████████████████| 163kB 453kB/s 
Requirement already satisfied: six in ./.local/lib/python3.7/site-packages (from rethinkdb==2.4.4.post1) (1.11.0)
Installing collected packages: rethinkdb
  Found existing installation: rethinkdb 2.4.4
    Uninstalling rethinkdb-2.4.4:
      Successfully uninstalled rethinkdb-2.4.4
Successfully installed rethinkdb-2.4.4.post1
/Users/me $ rlwrap python3.7
Python 3.7.0 (default, Oct  1 2018, 20:41:05) 
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from rethinkdb import RethinkDB
>>> r = RethinkDB()
>>> conn = r.connect(host='aws-eu-central-1-portal.0.dblayer.com',
... port=18079,
... auth_key='REDACTED',
... ssl={'ca_certs': 'ca.cert'})
>>> dbs=r.db_list().run(conn)
>>> print(dbs)  
['rethinkdb']

Thanks!