A couple of days ago I asked on Stack Overflow about returning a deferred from an SNI callback and have pyOpenSSL wait for it to fire before continuing handling the request.

Thanks to some pointers by Gyph I've found a solution ("workaround") for my problem, involving a fake TLSMemoryBIOProtocol to handle the client hello until the SNI is received, firing the SNI callback, waiting for it to callback and then re-feeding the resulting context to the real TLSMemoryBIOProtocol.

The implementation of this solution is available at https://gist.github.com/GaretJax/124c523a62ba48c9eec1, and I'd like to contribute it back to Twisted, however, it has no unit tests and needs some design decisions/validation.

I've opened a ticket to track it at https://twistedmatrix.com/trac/ticket/8065. Real-life impediments permitting, I'm willing to work on it and get the feature supported in Twisted core.

Anyone willing to help me getting a proper patch?

Best,

Jonathan

P.S.: A big shout-out to Twisted for its excellent TLS support out of the box. We got a straight A rating out of the box on ssl labs!