[issue5639] Support TLS SNI extension in ssl module

Phil Pennock report at bugs.python.org
Wed Apr 1 08:38:25 CEST 2009


New submission from Phil Pennock <python-dev at spodhuis.org>:

With TLS it is possible to have the client use an extension (defined in
RFC 4366, and RFC 3546 before that) to indicate to the server which
hostname it believes it is talking to.  The server can then choose TLS
certificates accordingly.  This makes virtual-hosting possible.  Most
modern GUI web-browsers support making use of this extension, Server
Name Indication (SNI).

OpenSSL 0.9.8f onwards have optional support for this; OpenSSL needs to
have been built with "enable-tlsext" in EXTRACONFIGURE.  If that is not
present, then there's a guard macro defined to say it's absent.

This patch, against Python 2.6.1, adds to the standard ssl module the
ability to set the extension, using server_hostname as a arg in relevant
places.  This is only set for client connections and will silently be
ignored if the OpenSSL library does not support it.

I have tested this on FreeBSD 7.0/amd64 with OpenSSL 0.9.8k when talking
to Apache 2.2.x with the SNI patches from https://sni.velox.ch/.  Below
is my simple test program, to dump raw HTTP results back.  With this, I
can connect to various local https vhosts and get the correct content back.

I am not a Python core dev and not too enthusiastic at the thought of
grabbing latest svn to port this across; I hope that it's still of use.

=============
import socket
import ssl
import sys

def dump_https_page(hostname, uri='/'):

  sock = socket.socket(socket.AF_INET)
  s = ssl.SSLSocket(sock=sock,
                    ca_certs='/etc/ssl/certs',
                    server_hostname=hostname)
  print 'have socket'
  s.connect((hostname, 443))
  print 'connected'

  print >>s, 'GET %s HTTP/1.0\r\nHost: %s\r\nConnection: close\r\n\r\n' % (
      uri, hostname),

  t = s.read()
  while t:
    print t,
    t = s.read()

if __name__ == '__main__':
  for x in sys.argv[1:]:
    dump_https_page(hostname=x)

----------
components: Library (Lib)
files: python-2.6.1-tlssni.patch
keywords: patch
messages: 84984
nosy: pdp
severity: normal
status: open
title: Support TLS SNI extension in ssl module
versions: Python 2.6
Added file: http://bugs.python.org/file13534/python-2.6.1-tlssni.patch

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5639>
_______________________________________


More information about the Python-bugs-list mailing list