Opened 3 years ago

Last modified 7 months ago

#4887 enhancement new

Server-side TLS Server Name Indication (SNI) support

Reported by: glyph Owned by: glyph
Priority: normal Milestone:
Component: core Keywords:
Cc: chris@…, hs@… Branch:
Author: Launchpad Bug:

Description (last modified by glyph)

This depends on PyOpenSSL supporting SNI.

This should modify the SSL endpoint string description syntax so that existing applications will inherit it seamlessly.

Change History (9)

comment:1 Changed 3 years ago by glyph

  • Description modified (diff)

comment:2 Changed 3 years ago by glyph

This ticket should be for server-side support. I don't know what's required client-side yet.

comment:3 follow-up: Changed 3 years ago by exarkun

pyOpenSSL 0.13 supports SNI. For a server, what you do is call set_tlsext_servername_callback on the Context instance you're using. You pass it a callback function that will be called with a Connection instance. In the callback function, you use Connection.get_servername to see who the client wanted to talk to. Then, if appropriate, you construct a new Context configured however you like (including using a certificate/key which matches the client's expectations) and make the server use it using Connection.set_context.

While not the prettiest API (not least because it forces a lot of OpenSSL specifics onto you), it's actually all accessible already, without any particular additional support from Twisted. So from that point of view, this ticket is actually resolved.

The client-side support is actually harder, because there currently is no way in the Twisted SSL client-side APIs to specify which hostname you want to talk to.

So with pyOpenSSL 0.13 and current Twisted, server-side is ugly but possible and client-side is not possible at all.

comment:4 in reply to: ↑ 3 Changed 3 years ago by glyph

Replying to exarkun:

Thanks for this update, and thanks even more for actually implementing the requisite SNI wrappers.

I think that we should probably have some explicit facility to do SNI so that it can get communicated down to layers like HTTP without OpenSSL specifics.

Also, anyone who takes on the client portion of this implementation should be aware of #5190.

comment:5 Changed 3 years ago by exarkun

  • Summary changed from TLS Server Name Indication (SNI) support to Sever-side TLS Server Name Indication (SNI) support

comment:6 Changed 3 years ago by glyph

  • Summary changed from Sever-side TLS Server Name Indication (SNI) support to Server-side TLS Server Name Indication (SNI) support

comment:7 Changed 22 months ago by chris-

  • Cc chris@… added

comment:8 Changed 8 months ago by wsanchez

  • Owner set to glyph

Assigning this to Glyph while I’m still his boss.

comment:9 Changed 7 months ago by hynek

  • Cc hs@… added
Note: See TracTickets for help on using tickets.