-
-
Notifications
You must be signed in to change notification settings - Fork 30k
-
-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server-side support for TLS Server Name Indication extension #52356
Comments
SSL sockets should support SNI, both as servers and clients: http://en.wikipedia.org/wiki/Server_Name_Indication After that, libraries that support SSL/TLS should be upgraded to take advantage of it. Any interest in supporting this?. |
Duplicate of bpo-5639. |
issue bpo-5639 only has functionality for client side SNI. Server side SNI is still missing. For server side SNI to be supported a server program should be able to retrieve the server name provided by the client call and alter the server certificate/key before the server completes the TLS/SSL connection. |
Right, re-opening. |
test_sni not working. getpeercert() not returning a certificate. |
Daniel, your patch looks quite interesting. Please, send a contributor agreement to the PSF: http://www.python.org/psf/contrib/contrib-form-python/ . Let me know when you status have changed. Why are you changing "Lib/test/keycert2.pem"? Please, provide also a documentation patch. This is a feature enhancement. Would be applied to 3.4, it is too late for 3.3 :-(. Too bad! :( |
Already done. Has been accepted and I've got an acknowledgement email.
Done. Also improved error checking and reference counting.
Was expected. Its been 2.5 years since the bug opened. A little more won't hurt. I've also changed SSLSocket.context to be a property. Its not quite working. The current test case as is working however using an assignment as per line 1958 of Lib/test/test_ssl.py. |
happy with this? I'm not sure what i've done to make s._set_context(newctx) work but s.context = newctx fail. I though the code here http://bugs.python.org/review/8109/diff2/5815:5989/Lib/ssl.py effectively maps them. |
Daniel, I'll take a look. |
minor nag :-) |
I've added a full set of alert descriptions and cleaned up the doco some more. The reference counting when the SNI callback comes in is my greatest worry. |
I've posted a few more comments. If it isn't very clear to you, I can still handle it myself, though. Those docs aren't the best. |
Not clear enough. Yes I'd appreciate you handling it. Thanks. |
Here is an updated patch with cyclic GC support, and other small things. |
Updated patch after Daniel's comments. |
New changeset 927afb7bca2a by Antoine Pitrou in branch 'default': |
I've committed the latest patch. Thank you very much! |
much appreciate your help. |
Coverity reports an issue in the callback function: /Modules/_ssl.c: 2403 ( uninit_use)
2400 /* remove race condition in this the call back while if removing the
2401 * callback is in progress */
2402 PyGILState_Release(gstate);
>>> CID 966640: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "ret".
2403 return ret;
2404 }
2405
2406 ssl = SSL_get_app_data(s);
2407 assert(PySSLSocket_Check(ssl)); I don't know which error code should be returned in this case. |
Thanks Christian. My fault - asked Antoine to remove the default value for it and didn't see this like. make line 2403: return SSL_TLSEXT_ERR_OK; |
Fixed in 52b4d9bfc9ea (Roundup e-mail gateway seems broken). |
(testing Roundup mail gateway, please ignore) |
I am trying to use SSLContext.set_servername_callback in my program but when a callback is set, it seems that connecting to the server without providing a server name causes a segmentation fault. (e.g. 'openssl s_client -connect localhost:443 -servername foo' is OK but 'openssl s_client -connect localhost:443' crashes the server. A simple test that causes the same error is included in the patch.) My expectation was to get None as the second argument of the callback in such cases so I modified Modules/_ssl.c (as in the patch) to make it behave as I expected. The modification seems to work fine as far as I've tested, but I'd appreciate if an official fix is available. |
nice patch. Thanks for finding the bug. I like the solution with test case. Just needs a small enhancement of documention to ensure other users expect this behaviour. |
Thanks for a comment. |
New changeset 4ae6095b4638 by Antoine Pitrou in branch 'default': |
Thank you for finding this! The patch is now committed. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: