Message10562
SNI (server name information) is an extension to SSL/TLS that allows the client to select a hostname and the server to pick the appropriate certificate matching that hostname. Although there is internal support in Java 7, it really requires Java 8 to use the public API. Since the ssl module is written in Python, it is easy to provide this support only on Java 8 or higher, by using standard ImportError handling semantics.
Server side. Python specifies a callback on the SSL context (https://docs.python.org/2.7/library/ssl.html#ssl.SSLContext.set_servername_callback), which corresponds roughly to the SniHandler class provided by Netty 4 (http://netty.io/4.0/api/io/netty/handler/ssl/SniHandler.html). By default, SniHandler will automatically switch the SSL context, but a subclass of SniHandler can override SniHandler.sslContext, which can in turn interrogate SniHandler.hostname() to provide set_servername_callback.
Client side. In wrapping a socket, client code can specify the desired server hostname. This hostname in turn can be set in the ssl module's SSLContext._createSSLEngine, which currenty sets some of the SSL parameters, via javax.net.ssl.SSLParameters.setServerNames(javax.net.ssl.SNIHostName(server_name)).
There is some additional certificate functionality that is already implemented for SNI in Jython's ssl, namely match_hostname. But it looks like we need to complete SSLContext.check_hostname support. |
|
Date |
User |
Action |
Args |
2015-12-29 14:21:45 | zyasoft | set | recipients:
+ zyasoft |
2015-12-29 14:21:45 | zyasoft | set | messageid: <1451398905.46.0.981080671012.issue2446@psf.upfronthosting.co.za> |
2015-12-29 14:21:45 | zyasoft | link | issue2446 messages |
2015-12-29 14:21:44 | zyasoft | create | |
|