New submission from Phil Pennock <python-...@spodhuis.org>: With TLS it is possible to have the client use an extension (defined in RFC 4366, and RFC 3546 before that) to indicate to the server which hostname it believes it is talking to. The server can then choose TLS certificates accordingly. This makes virtual-hosting possible. Most modern GUI web-browsers support making use of this extension, Server Name Indication (SNI).
OpenSSL 0.9.8f onwards have optional support for this; OpenSSL needs to have been built with "enable-tlsext" in EXTRACONFIGURE. If that is not present, then there's a guard macro defined to say it's absent. This patch, against Python 2.6.1, adds to the standard ssl module the ability to set the extension, using server_hostname as a arg in relevant places. This is only set for client connections and will silently be ignored if the OpenSSL library does not support it. I have tested this on FreeBSD 7.0/amd64 with OpenSSL 0.9.8k when talking to Apache 2.2.x with the SNI patches from https://sni.velox.ch/. Below is my simple test program, to dump raw HTTP results back. With this, I can connect to various local https vhosts and get the correct content back. I am not a Python core dev and not too enthusiastic at the thought of grabbing latest svn to port this across; I hope that it's still of use. ============= import socket import ssl import sys def dump_https_page(hostname, uri='/'): sock = socket.socket(socket.AF_INET) s = ssl.SSLSocket(sock=sock, ca_certs='/etc/ssl/certs', server_hostname=hostname) print 'have socket' s.connect((hostname, 443)) print 'connected' print >>s, 'GET %s HTTP/1.0\r\nHost: %s\r\nConnection: close\r\n\r\n' % ( uri, hostname), t = s.read() while t: print t, t = s.read() if __name__ == '__main__': for x in sys.argv[1:]: dump_https_page(hostname=x) ---------- components: Library (Lib) files: python-2.6.1-tlssni.patch keywords: patch messages: 84984 nosy: pdp severity: normal status: open title: Support TLS SNI extension in ssl module versions: Python 2.6 Added file: http://bugs.python.org/file13534/python-2.6.1-tlssni.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue5639> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
