This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: SSL/TLS sni use in smtp,pop,imap,nntp,ftp client libs by default
Type: enhancement Stage: resolved
Components: Library (Lib) Versions: Python 3.7, Python 3.6
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, christian.heimes, daniel-black, dstufft, fweimer, giampaolo.rodola, grooverdan, janssen, orsenthil, pitrou, r.david.murray
Priority: high Keywords: patch

Created on 2011-01-07 04:42 by grooverdan, last changed 2022-04-11 14:57 by admin. This issue is now closed.

File name Uploaded Description Edit
sni-pop-smtp-imap-nntp.patch grooverdan, 2011-01-07 04:42 sni for other ssl capable libraries review
issue10852-sni.patch daniel-black, 2012-08-21 14:49 review
Messages (17)
msg125621 - (view) Author: Daniel Black (grooverdan) * Date: 2011-01-07 04:42
Like r85793, sni is enabled by default for url and https classes. This continues the consistency throughout the python libraries by adding it to other places where wrap_socket is used to instigate a SSL/TLS connection.
msg125623 - (view) Author: Daniel Black (grooverdan) * Date: 2011-01-07 04:54
dup #10853
msg125647 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-01-07 13:48
Oops, I hadn't noticed you had closed it.
msg125670 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-01-07 18:13
I understand this patch relies on #10851. As I said there, I would rather have SSLContext become the primary API, and the stdlib standardize on it. Part of the stdlib, as you have witnessed, already allows the user to pass a custom SSLContext, which is very simple way of allowing for custom user settings. There are two open issues for imaplib (#8808) and smtplib (#8809).
msg126920 - (view) Author: Daniel Black (grooverdan) * Date: 2011-01-24 11:05
ok. should library/ssl.rst be updated to use a SSLContext example?
msg126929 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-01-24 14:20
Well, there are already such examples:
Do you think they are not visible enough?
msg126958 - (view) Author: Daniel Black (grooverdan) * Date: 2011-01-24 21:21
I thought previous comments you wanted SSLContext to become the primary api rather than wrap_socket? Coding this into the examples is probably a good way of making this happen.
msg168632 - (view) Author: danblack (daniel-black) Date: 2012-08-20 07:28

I copied off your http example for all the other protocols.

tested with:

import smtplib

a = smtplib.SMTP_SSL('')

a = smtplib.SMTP_SSL('')
a = smtplib.SMTP_SSL('')

import ftplib

f = ftplib.FTP_TLS('')

import imaplib
i = imaplib.IMAP4('')

i = imaplib.IMAP4_SSL('')

import poplib

p = poplib.POP3_SSL('')

import  nntplib 
n = nntplib.NNTP_SSL('')

I did a network capture and saw the hostname in the SNI header
msg168781 - (view) Author: danblack (daniel-black) Date: 2012-08-21 14:49
previous patch had dumb error and even failed test suit. Now fixed.
msg168782 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-08-21 14:55
Thanks for the patch, Daniel. 3.3 is nearing the release candidate phase, so I'm re-targetting to 3.4. I'll take a detailed look soon.

(I suppose there's no easy way to write automated tests for this, unfortunately)
msg168784 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-08-21 14:56
By the way, could you sign a contributor agreement? You can find instructions at
msg168850 - (view) Author: danblack (daniel-black) Date: 2012-08-22 07:48
> Thanks for the patch
> Daniel. 3.3 is nearing the release candidate phase, so I'm re-targetting to 3.4. I'll take a detailed look soon.

Welcome. Just noticed conflicts with #4473 in the client POP implementation. Hopefully they are close anyway.

> (I suppose there's no easy way to write automated tests for this, unfortunately)
Well since #8109 writes the server SNI its getting easier.

In Lib/test/ combined with the changes of #8109 it would seem that changing to respond to "AUTH TLS", "AUTH SSL" (ftp) and "STLS" for pop (preempt #4473).

Changing server_params_test to support a proper arguments that correspond the the client protocol would be the way to do it.

> By the way, could you sign a contributor agreement
yes - emailed in.
msg177261 - (view) Author: danblack (daniel-black) Date: 2012-12-10 03:41
the one error in the previous review corrected.
msg181804 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-02-10 13:51
I'm getting a test failure in test_ftplib:

ERROR: test_data_connection (test.test_ftplib.TestTLS_FTPClass)
Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/", line 834, in test_data_connection
    with self.client.transfercmd('list') as sock:
  File "/home/antoine/cpython/default/Lib/", line 386, in transfercmd
    return self.ntransfercmd(cmd, rest)[0]
  File "/home/antoine/cpython/default/Lib/", line 756, in ntransfercmd
    self.context.load_cert_chain(self.certfile, self.keyfile)
TypeError: certfile should be a valid filesystem path

Also, since we now have SNI server support, perhaps it's easier to test the change :-)
msg181890 - (view) Author: Daniel Black (grooverdan) * Date: 2013-02-11 10:20
Ack. Have fix. Simple if self.certfile or self.keyfile: test added before load_cert_chain.

part way through developing test. Thinking #17181 would help.
msg275024 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 14:43
Good idea, but the patch is outdated. We can enforce verification by changing ssl._create_stdlib_context.
msg275026 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 14:44
Oh sorry, this is about SNI not verified context. All protocols support SNI for some time.
Date User Action Args
2022-04-11 14:57:11adminsetgithub: 55061
2016-09-08 14:44:08christian.heimessetstatus: open -> closed
resolution: out of date
messages: + msg275026

stage: patch review -> resolved
2016-09-08 14:43:04christian.heimessetpriority: normal -> high

nosy: + janssen, alex, dstufft
versions: + Python 3.6, Python 3.7, - Python 3.4
messages: + msg275024

assignee: christian.heimes
2013-06-17 18:23:45pitrousetnosy: + christian.heimes
2013-03-08 08:48:24fweimersetnosy: + fweimer
2013-02-11 10:20:41grooverdansetmessages: + msg181890
2013-02-10 19:07:58orsenthilsetnosy: + orsenthil
2013-02-10 13:51:27pitrousetmessages: + msg181804
2012-12-10 03:41:37daniel-blacksetmessages: + msg177261
2012-08-22 07:48:32daniel-blacksetmessages: + msg168850
2012-08-21 15:03:16r.david.murraysetnosy: + r.david.murray
2012-08-21 14:56:45pitrousetmessages: + msg168784
2012-08-21 14:55:51pitrousetstage: patch review
messages: + msg168782
versions: + Python 3.4, - Python 3.3
2012-08-21 14:49:48daniel-blacksetfiles: + issue10852-sni.patch

messages: + msg168781
2012-08-21 14:48:45daniel-blacksetfiles: - issue_10852_pop-smtp-imap-nntp.patch
2012-08-20 07:28:04daniel-blacksetfiles: + issue_10852_pop-smtp-imap-nntp.patch
nosy: + daniel-black
messages: + msg168632

2011-01-24 21:21:55grooverdansetnosy: pitrou, giampaolo.rodola, grooverdan
messages: + msg126958
2011-01-24 15:19:22giampaolo.rodolasetnosy: + giampaolo.rodola
2011-01-24 14:20:50pitrousetmessages: + msg126929
2011-01-24 11:05:29grooverdansetmessages: + msg126920
2011-01-07 18:13:52pitrousetmessages: + msg125670
2011-01-07 13:48:55pitrousetstatus: closed -> open

nosy: + pitrou
messages: + msg125647

resolution: duplicate -> (no value)
2011-01-07 13:47:14pitroulinkissue10853 superseder
2011-01-07 04:54:38grooverdansetstatus: open -> closed

nosy: - pitrou
messages: + msg125623

resolution: duplicate
2011-01-07 04:42:58grooverdancreate