This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author nitzmahone
Recipients christian.heimes, nitzmahone
Date 2017-11-30.18:05:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The current implementation of SSLContext.wrap_socket blindly sends whatever is passed in server_hostname in the SNI extension, assuming it's a DNS hostname. RFC6066 describes the SNI TLS extension, and specifically states that 'Literal IPv4 and IPv6 addresses are not permitted in "HostName".' The RFC makes no recommendation on how a server implementation that violates this requirement should behave; Microsoft's kernel HTTP listener (http.sys) chooses to abort the connection if SNI has been enabled. In the http.sys case, SNI is a global setting, currently off by default, but if any registered listener has SNI enabled, the connection abort behavior applies to all listeners.

SSLContext.wrap_socket() should determine whether server_hostname is an IP address before including the SNI extension. 

I've submitted a PR to work around this issue in urllib3 ( in the meantime, but would be good to get this fixed, especially if Microsoft decides to enable SNI by default at some point.
Date User Action Args
2017-11-30 18:05:09nitzmahonesetrecipients: + nitzmahone, christian.heimes
2017-11-30 18:05:09nitzmahonesetmessageid: <>
2017-11-30 18:05:09nitzmahonelinkissue32185 messages
2017-11-30 18:05:09nitzmahonecreate