bpo-36076: Add SNI support to ssl.get_server_certificate. (GH-16820) Many servers in the cloud environment require SNI to be used during the SSL/TLS handshake, therefore it is not possible to fetch their certificates using the ssl.get_server_certificate interface. This change adds an additional optional hostname argument that can be used to set the SNI. Note that it is intentionally a separate argument instead of using the host part of the addr tuple, because one might want to explicitly fetch the default certificate or fetch a certificate from a specific IP address with the specified SNI hostname. A separate argument also works better for backwards compatibility. Automerge-Triggered-By: GH:tiran

commit: 49fdf118aeda891401d638ac32296c7d55d54678 [log] [tgz]
author: juhovh <juhovh@iki.fi> Sun Apr 18 21:11:48 2021 +1000
committer: GitHub <noreply@github.com> Sun Apr 18 04:11:48 2021 -0700
tree: 28b2e0df7618d9934e70d4a72019bcfbff08d18b
parent: 2798f247c0747d28cb857fa80803797b24696cb6 [diff] [blame]
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 9c1ba58..99d0852 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py

@@ -1475,7 +1475,7 @@ def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None):
                                      cert_reqs=cert_reqs,
                                      cafile=ca_certs)
     with  create_connection(addr) as sock:
-        with context.wrap_socket(sock) as sslsock:
+        with context.wrap_socket(sock, server_hostname=host) as sslsock:
             dercert = sslsock.getpeercert(True)
     return DER_cert_to_PEM_cert(dercert)
commit	49fdf118aeda891401d638ac32296c7d55d54678	[log] [tgz]
author	juhovh <juhovh@iki.fi>	Sun Apr 18 21:11:48 2021 +1000
committer	GitHub <noreply@github.com>	Sun Apr 18 04:11:48 2021 -0700
tree	28b2e0df7618d9934e70d4a72019bcfbff08d18b
parent	2798f247c0747d28cb857fa80803797b24696cb6 [diff] [blame]