[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
Matt Davis
report at bugs.python.org
Thu Nov 30 13:05:09 EST 2017
New submission from Matt Davis <mdavis at ansible.com>:
The current implementation of SSLContext.wrap_socket blindly sends whatever is passed in server_hostname in the SNI extension, assuming it's a DNS hostname. RFC6066 describes the SNI TLS extension, and specifically states that 'Literal IPv4 and IPv6 addresses are not permitted in "HostName".' The RFC makes no recommendation on how a server implementation that violates this requirement should behave; Microsoft's kernel HTTP listener (http.sys) chooses to abort the connection if SNI has been enabled. In the http.sys case, SNI is a global setting, currently off by default, but if any registered listener has SNI enabled, the connection abort behavior applies to all listeners.
SSLContext.wrap_socket() should determine whether server_hostname is an IP address before including the SNI extension.
I've submitted a PR to work around this issue in urllib3 (https://github.com/shazow/urllib3/pull/1287) in the meantime, but would be good to get this fixed, especially if Microsoft decides to enable SNI by default at some point.
----------
assignee: christian.heimes
components: SSL
messages: 307333
nosy: christian.heimes, nitzmahone
priority: normal
severity: normal
status: open
title: SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32185>
_______________________________________
More information about the Python-bugs-list
mailing list