[issue5639] Support TLS SNI extension in ssl module
Donald Stufft
report at bugs.python.org
Thu Mar 20 13:58:01 CET 2014
Donald Stufft added the comment:
It's somewhat of a grey area of security feature. It's not directly a security feature but if you don't have SNI and you hit a site that requires it then your error message is going to be something like what people run into with PyPI[1] which is "Cannot verify pypi.python.org, does not match hostname *.a.ssl.fastly.net". At this point most people go "What?" and assume the site is at fault and disable verification. Even more frustrating is this is going to work fine in their browser. The answer of how to actually verify this is without SNI is (once you even figure out the problem is SNI, which is non obvious) verify against what's actually in the CN of the cert, and send a Host header for what site you actually want. So while it is not strictly a security feature, it is fairly important for reasonably securely connecting to a site that requires SNI for the lay person.
[1] PyPI's problem is no SNI but that some clients don't support SAN certificates, but the error message is exactly the same.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5639>
_______________________________________
More information about the Python-bugs-list
mailing list