Server-side TLS Server Name Indication (SNI) support

[glyph]

This depends on  PyOpenSSL supporting SNI.

This should modify the SSL endpoint string description syntax so that existing applications will inherit it seamlessly.

[glyph]

This ticket should be for server-side support. I don't know what's required client-side yet.

[exarkun]

pyOpenSSL 0.13 supports SNI. For a server, what you do is call set_tlsext_servername_callback on the Context instance you're using. You pass it a callback function that will be called with a Connection instance. In the callback function, you use Connection.get_servername to see who the client wanted to talk to. Then, if appropriate, you construct a new Context configured however you like (including using a certificate/key which matches the client's expectations) and make the server use it using Connection.set_context.

While not the prettiest API (not least because it forces a lot of OpenSSL specifics onto you), it's actually all accessible already, without any particular additional support from Twisted. So from that point of view, this ticket is actually resolved.

The client-side support is actually harder, because there currently is no way in the Twisted SSL client-side APIs to specify which hostname you want to talk to.

So with pyOpenSSL 0.13 and current Twisted, server-side is ugly but possible and client-side is not possible at all.

[glyph]

Replying to exarkun:

Thanks for this update, and thanks even more for actually implementing the requisite SNI wrappers.

I think that we should probably have some explicit facility to do SNI so that it can get communicated down to layers like HTTP without OpenSSL specifics.

Also, anyone who takes on the client portion of this implementation should be aware of #5190.