classification
Title: SSL SNI varies when host contains port number
Type: behavior Stage:
Components: Library (Lib) Versions: Python 3.10, Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, hexf
Priority: normal Keywords:

Created on 2021-10-10 13:41 by hexf, last changed 2021-10-10 14:42 by christian.heimes.

Files
File name Uploaded Description Edit
test.py hexf, 2021-10-10 13:41 Example script
bpo45423.pcapng christian.heimes, 2021-10-10 14:42
keylog christian.heimes, 2021-10-10 14:42
Messages (2)
msg403586 - (view) Author: Thomas Hobson (hexf) Date: 2021-10-10 13:41
Not entirely sure if this is intended.

When using urllib.request.urlopen, with a hostname and a varying port the SNI information sent differs.
To my undersnding, the SNI info shouldn't include the port and should only include the actual host.

Attached is an example script demonstrating the issue, where the only difference between the URLs is adding a port number.
The server it points to is configured to only match "ci.hexf.me".
msg403591 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-10-10 14:42
I have tested your assumption with wireshark. It's not the TLS SNI extension. In both cases ssl module sends SNI "ci.hexf.me". The issue is likely caused by HTTP Host header. The host header contains the port.

I'm attaching the capture and keylog file.
History
Date User Action Args
2021-10-10 14:42:14christian.heimessetfiles: + keylog
2021-10-10 14:42:06christian.heimessetfiles: + bpo45423.pcapng
assignee: christian.heimes ->
messages: + msg403591

components: + Library (Lib), - SSL
2021-10-10 13:41:48hexfcreate