Add support for TLS SNI if M2Crypto supports it.

Currently osc can't access API URLs which share the same IP address with other SSL-enabled sites, complaining about certificate not matching hostname. This change solves this problem by instructing M2Crypto.SSL.Connection to send the desired hostname to https server using TLS SNI extension, thus allowing the server to present the right certificate and choose the right virtual site. This is useful for those who can't afford to have a separate IP address for OBS API. For TLS SNI to work correctly, M2Crypto should be patched: https://bugzilla.osafoundation.org/show_bug.cgi?id=13073 Some distributions (like Fedora) already include this patch. For unpatched M2Crypto osc degrades to operation without TLS SNI. Signed-off-by: Oleg Girko <ol@infoserver.lv>
2024-09-20 09:16:16 +02:00 · 2013-10-26 02:11:46 +01:00 · 2013-10-26 02:11:46 +01:00 · c62c9f54a0
commit c62c9f54a0
parent a031dbd083
1 changed files with 6 additions and 1 deletions
--- a/osc/oscssl.py
+++ b/osc/oscssl.py
@ -250,7 +250,12 @@ class myHTTPSConnection(M2Crypto.httpslib.HTTPSConnection):
        M2Crypto.httpslib.HTTPSConnection.__init__(self, *args, **kwargs)

    def connect(self, *args):
-        M2Crypto.httpslib.HTTPSConnection.connect(self, *args)
+        self.sock = SSL.Connection(self.ssl_ctx)
+        if self.session:
+            self.sock.set_session(self.session)
+        if hasattr(self.sock, 'set_tlsext_host_name'):
+            self.sock.set_tlsext_host_name(self.host)
+        self.sock.connect((self.host, self.port))
        verify_certificate(self)

    def getHost(self):