From c62c9f54a0b3f381c613de446e94dd10bfb523be Mon Sep 17 00:00:00 2001
From: Oleg Girko <ol@infoserver.lv>
Date: Sat, 26 Oct 2013 02:11:46 +0100
Subject: [PATCH] Add support for TLS SNI if M2Crypto supports it.

Currently osc can't access API URLs which share the same IP address
with other SSL-enabled sites, complaining about certificate
not matching hostname.

This change solves this problem by instructing M2Crypto.SSL.Connection
to send the desired hostname to https server using TLS SNI extension,
thus allowing the server to present the right certificate and choose
the right virtual site.

This is useful for those who can't afford to have a separate IP address
for OBS API.

For TLS SNI to work correctly, M2Crypto should be patched:
https://bugzilla.osafoundation.org/show_bug.cgi?id=13073
Some distributions (like Fedora) already include this patch.

For unpatched M2Crypto osc degrades to operation without TLS SNI.

Signed-off-by: Oleg Girko <ol@infoserver.lv>
---
 osc/oscssl.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/osc/oscssl.py b/osc/oscssl.py
index 325e1ab7..62f50c4b 100644
--- a/osc/oscssl.py
+++ b/osc/oscssl.py
@@ -250,7 +250,12 @@ class myHTTPSConnection(M2Crypto.httpslib.HTTPSConnection):
         M2Crypto.httpslib.HTTPSConnection.__init__(self, *args, **kwargs)
 
     def connect(self, *args):
-        M2Crypto.httpslib.HTTPSConnection.connect(self, *args)
+        self.sock = SSL.Connection(self.ssl_ctx)
+        if self.session:
+            self.sock.set_session(self.session)
+        if hasattr(self.sock, 'set_tlsext_host_name'):
+            self.sock.set_tlsext_host_name(self.host)
+        self.sock.connect((self.host, self.port))
         verify_certificate(self)
 
     def getHost(self):