jaraco/irc

`irc.connection.Factory.connect` should support `ssl.SSLContext.wrap_socket` with the `server_hostname` parameter

bd808 opened this issue · 1 comments

bd808 commented

ssl.wrap_socket is the currently recommended helper for adding SSL/TLS support when using the library. ssl.wrap_socket usage however has been deprecated since Python 3.2. Instead clients are encouraged to use an instance of ssl.SSLContext and its wrap_socket method .

Per https://ircv3.net/docs/sni.html, IRCv3 capable clients must use SNI when connecting via TLS. ssl.SSLContext.wrap_socket is able to perform SNI negotiation and server certificate validation when it is called with a server_hostname parameter, but will error out with "ValueError: check_hostname requires server_hostname" or similar when server_hostname is omitted. The workaround for this is to set check_hostname = False and verify_mode = ssl.CERT_NONE on the ssl.SSLContext instance, but this also violates the IRCv3 spec and introduces man-in-the-middle potential for the TLS secured connection.

Sounds good. Would you be willing to implement a patch?