Document the security extra for SNI support with legacy Python

[browniebroke]

This was added back in #2195.

This started as I was trying to understand why we had PyOpenSSL installed on the project I joined recently. After a bit of digging, it seems that it came from the time when we were using Python 2 and was for Requests/urllib3.

However, looking at Requests' documentation, I couldn't find a clear explanation about this feature, so this is my attempt at fixing this.

Disclaimer: I'm by no means an expert at SNI, so please correct me on anything wrong that follows.

Here are what I could find:

• The intend was to document this feature after merging it, so I assume this contribution is welcome.
• Looking at the documentation from urllib3, it seems that the extra dependencies aren't needed in Python 3* and by the look of Investigate users with slow import time, and attempt to mitigate in future releases #4315 it can slow down importing Requests when we have PyOpenSSL.
• Another open pull request (Use pyOpenSSL only when ssl doesn't support SNI #4591) is trying to change this, but @sigmavirus24 comment implies that there is more to SNI in Requests?

I'm not sure if this is the best place to document this, adding it to the "install" section feels overwhelming for beginners, and I felt like it belongs close to the SSL & certificates verification of the advanced section. Happy to move it somewhere else.

Edit:

(*) Actually, it seems it was implemented in PEP 476 which covers Python >=2.7.9 or >=3.4.3, so not any Python 3 versions.

[browniebroke]

I've put this versionadded directive, but since it's quoting a very old version, it might not make sense?

[sigmavirus24]

This was originally added for SNI support but further is really just a way of providing modern OpenSSL for old versions of Python too. It allows them to communicate with modern websites regardless of SNI.

[browniebroke]

Thanks for your feedback. I've updated the change to be less focused on SNI, and direct to the upstream documentation for urllib3.

[codecov-io]

Codecov Report

Merging #4825 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #4825   +/-   ##
=======================================
  Coverage   66.89%   66.89%           
=======================================
  Files          15       15           
  Lines        1577     1577           
=======================================
  Hits         1055     1055           
  Misses        522      522

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c501ec9...ee76291. Read the comment docs.

[sigmavirus24]

This is only a single facet of the issue

[sigmavirus24]

This was originally added for SNI support but further is really just a way of providing modern OpenSSL for old versions of Python too. It allows them to communicate with modern websites regardless of SNI.

[sethmlarson]

Closing this as we're not recommending the security extra any longer.