Message10562

Author	zyasoft
Recipients	zyasoft
Date	2015-12-29.14:21:44
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1451398905.46.0.981080671012.issue2446@psf.upfronthosting.co.za>
In-reply-to

Content
SNI (server name information) is an extension to SSL/TLS that allows the client to select a hostname and the server to pick the appropriate certificate matching that hostname. Although there is internal support in Java 7, it really requires Java 8 to use the public API. Since the ssl module is written in Python, it is easy to provide this support only on Java 8 or higher, by using standard ImportError handling semantics. Server side. Python specifies a callback on the SSL context (https://docs.python.org/2.7/library/ssl.html#ssl.SSLContext.set_servername_callback), which corresponds roughly to the SniHandler class provided by Netty 4 (http://netty.io/4.0/api/io/netty/handler/ssl/SniHandler.html). By default, SniHandler will automatically switch the SSL context, but a subclass of SniHandler can override SniHandler.sslContext, which can in turn interrogate SniHandler.hostname() to provide set_servername_callback. Client side. In wrapping a socket, client code can specify the desired server hostname. This hostname in turn can be set in the ssl module's SSLContext._createSSLEngine, which currenty sets some of the SSL parameters, via javax.net.ssl.SSLParameters.setServerNames(javax.net.ssl.SNIHostName(server_name)). There is some additional certificate functionality that is already implemented for SNI in Jython's ssl, namely match_hostname. But it looks like we need to complete SSLContext.check_hostname support.

SNI (server name information) is an extension to SSL/TLS that allows the client to select a hostname and the server to pick the appropriate certificate matching that hostname. Although there is internal support in Java 7, it really requires Java 8 to use the public API. Since the ssl module is written in Python, it is easy to provide this support only on Java 8 or higher, by using standard ImportError handling semantics.

Server side. Python specifies a callback on the SSL context (https://docs.python.org/2.7/library/ssl.html#ssl.SSLContext.set_servername_callback), which corresponds roughly to the SniHandler class provided by Netty 4 (http://netty.io/4.0/api/io/netty/handler/ssl/SniHandler.html). By default, SniHandler will automatically switch the SSL context, but a subclass of SniHandler can override SniHandler.sslContext, which can in turn interrogate SniHandler.hostname() to provide set_servername_callback.

Client side. In wrapping a socket, client code can specify the desired server hostname. This hostname in turn can be set in the ssl module's SSLContext._createSSLEngine, which currenty sets some of the SSL parameters, via javax.net.ssl.SSLParameters.setServerNames(javax.net.ssl.SNIHostName(server_name)).

There is some additional certificate functionality that is already implemented for SNI in Jython's ssl, namely match_hostname. But it looks like we need to complete SSLContext.check_hostname support.

History
Date	User	Action	Args
2015-12-29 14:21:45	zyasoft	set	recipients: + zyasoft
2015-12-29 14:21:45	zyasoft	set	messageid: <1451398905.46.0.981080671012.issue2446@psf.upfronthosting.co.za>
2015-12-29 14:21:45	zyasoft	link	issue2446 messages
2015-12-29 14:21:44	zyasoft	create