This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients David Ford (FirefighterBlu3), christian.heimes, vstinner
Date 2017-02-15.17:54:51
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1487181291.34.0.215077284234.issue29470@psf.upfronthosting.co.za>
In-reply-to
Content 
It's not a bug in Python's ssl module. If I understand David's approach correctly, then he is using the SNI callback the wrong way. By using it the wrong way he has discovered a threading bug in OpenSSL. There is some kind of race condition going on in which two threads free and replace the RSA private key at the same time.

I'm -1 to try to make the SSLContext object magically read-only.

David, which examples did you read? The documentation https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_servername_callback is pretty clear:

A typical use of this callback is to change the ssl.SSLSocket‘s SSLSocket.context attribute to a new object of type SSLContext representing a certificate chain that matches the server name.

Apache mod_ssl does it correctly, the first hit on stack overflow, too. https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni
History
Date User Action Args
2017-02-15 17:54:51christian.heimessetrecipients: + christian.heimes, vstinner, David Ford (FirefighterBlu3)
2017-02-15 17:54:51christian.heimessetmessageid: <1487181291.34.0.215077284234.issue29470@psf.upfronthosting.co.za>
2017-02-15 17:54:51christian.heimeslinkissue29470 messages
2017-02-15 17:54:51christian.heimescreate