[issue5639] Support TLS SNI extension in ssl module

[Jean-Paul Calderone]

Jean-Paul Calderone <exarkun at twistedmatrix.com> added the comment:

> Sorry I don't like this as much. I believe following the RFC for TLS SNI should be implicit and not something the programmer need to put effort into achieving. I acknowledge this approach does go against some explicit behaviour programming quality metrics.

It's almost always wrong for Python to enforce a particular *policy*, particularly in a very low level API (which is what the ssl module should be).  Python's main job is to make it *possible* to do things.  It's the application developer's job to decide what things should be done.

It would be entirely appropriate, though, for a higher-level interface (for example, the httplib module) to take care of this itself and not require users to explicitly specify things separately.

> Well, the hostname should be specific to a connection, so I'm not sure it makes sense to set it on the context.

That doesn't make sense to me.  For example, consider the case where you're talking to a web service.  The hostname lookup might result in 10 A records, which you then drop into a connection pool.  Your application doesn't care which server you talk to (and maybe it talks to serveral, or all, of them).  But it does want to specify the same hostname for each.

> (besides, the OpenSSL APIs only allow it to be set on the SSL structure)

Nope, I checked before making the suggestion.  There's an SSL_CTX_ version of this API (in addition to the SSL_ version).

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5639>
_______________________________________