SSL sockets should support SNI, both as servers and clients: http://en.wikipedia.org/wiki/Server_Name_Indication

After that, libraries that support SSL/TLS should be upgraded to take advantage of it.

Any interest in supporting this?.

Duplicate of bpo-5639.

issue bpo-5639 only has functionality for client side SNI. Server side SNI is still missing.

For server side SNI to be supported a server program should be able to retrieve the server name provided by the client call and alter the server certificate/key before the server completes the TLS/SSL connection.

Server side SNI is still missing.

Right, re-opening.

test_sni not working. getpeercert() not returning a certificate.

Daniel, your patch looks quite interesting. Please, send a contributor agreement to the PSF: http://www.python.org/psf/contrib/contrib-form-python/ . Let me know when you status have changed.

Why are you changing "Lib/test/keycert2.pem"?

Please, provide also a documentation patch.

This is a feature enhancement. Would be applied to 3.4, it is too late for 3.3 :-(. Too bad! :(

Daniel, your patch looks quite interesting. Please, send a contributor agreement to the PSF: http://www.python.org/psf/contrib/contrib-form-python/ . Let me know when you status have changed.

Already done. Has been accepted and I've got an acknowledgement email.

Why are you changing "Lib/test/keycert2.pem"?
I was mistakely assuming that this was the only test that used it. Fixed now. Also added a CA key and server for validating key chains. I didn't end up using it however thought it would be handy.

Please, provide also a documentation patch.

Done. Also improved error checking and reference counting.

This is a feature enhancement. Would be applied to 3.4, it is too late for 3.3 :-(. Too bad! :(

Was expected. Its been 2.5 years since the bug opened. A little more won't hurt.

I've also changed SSLSocket.context to be a property. Its not quite working. The current test case as is working however using an assignment as per line 1958 of Lib/test/test_ssl.py.

happy with this?

I'm not sure what i've done to make s._set_context(newctx) work but s.context = newctx fail. I though the code here http://bugs.python.org/review/8109/diff2/5815:5989/Lib/ssl.py effectively maps them.

Daniel, I'll take a look.

Antoine Pitrou (pitrou) * Date: 2012-10-06 13:10
Daniel, I'll take a look.

minor nag :-)

I've added a full set of alert descriptions and cleaned up the doco some more.

The reference counting when the SNI callback comes in is my greatest worry.

I've posted a few more comments.
As for cyclic garbage collection, it's explained a bit there:
http://docs.python.org/dev/extending/newtypes.html#supporting-cyclic-garbage-collection

If it isn't very clear to you, I can still handle it myself, though. Those docs aren't the best.

If it isn't very clear to you, I can still handle it myself, though. Those docs aren't the best.

Not clear enough. Yes I'd appreciate you handling it. Thanks.

Here is an updated patch with cyclic GC support, and other small things.

Updated patch after Daniel's comments.

New changeset 927afb7bca2a by Antoine Pitrou in branch 'default':
Issue bpo-8109: The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
http://hg.python.org/cpython/rev/927afb7bca2a

I've committed the latest patch. Thank you very much!

I've committed the latest patch. Thank you very much!

much appreciate your help.

Coverity reports an issue in the callback function:

/Modules/_ssl.c: 2403 ( uninit_use)
   2400            /* remove race condition in this the call back while if removing the
   2401             * callback is in progress */
   2402            PyGILState_Release(gstate);
>>> CID 966640: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "ret".
   2403            return ret;
   2404        }
   2405    
   2406        ssl = SSL_get_app_data(s);
   2407        assert(PySSLSocket_Check(ssl));

I don't know which error code should be returned in this case.

I don't know which error code should be returned in this case.

Thanks Christian. My fault - asked Antoine to remove the default value for it and didn't see this like.

make line 2403:

return SSL_TLSEXT_ERR_OK;

Fixed in 52b4d9bfc9ea (Roundup e-mail gateway seems broken).

(testing Roundup mail gateway, please ignore)

I am trying to use SSLContext.set_servername_callback in my program but when a callback is set, it seems that connecting to the server without providing a server name causes a segmentation fault. (e.g. 'openssl s_client -connect localhost:443 -servername foo' is OK but 'openssl s_client -connect localhost:443' crashes the server. A simple test that causes the same error is included in the patch.)

My expectation was to get None as the second argument of the callback in such cases so I modified Modules/_ssl.c (as in the patch) to make it behave as I expected.

The modification seems to work fine as far as I've tested, but I'd appreciate if an official fix is available.

nice patch. Thanks for finding the bug. I like the solution with test case.

Just needs a small enhancement of documention to ensure other users expect this behaviour.

Thanks for a comment.
I've made a version that adds a line to the document.

New changeset 4ae6095b4638 by Antoine Pitrou in branch 'default':
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
http://hg.python.org/cpython/rev/4ae6095b4638

Thank you for finding this! The patch is now committed.