Issue #19783: nntplib now supports SSLContext.check_hostname and server name

indication for TLS/SSL connections.

1 files changed, 5 insertions, 4 deletions

diff --git a/Lib/nntplib.py b/Lib/nntplib.py
index 046f48343d..fcb01d319b 100644
--- a/Lib/nntplib.py
+++ b/Lib/nntplib.py
@@ -279,7 +279,7 @@ def _unparse_datetime(dt, legacy=False):
 
 if _have_ssl:
 
-    def _encrypt_on(sock, context):
+    def _encrypt_on(sock, context, hostname):
         """Wrap a socket in SSL/TLS. Arguments:
         - sock: Socket to wrap
         - context: SSL context to use for the encrypted connection
@@ -289,7 +289,8 @@ if _have_ssl:
         # Generate a default SSL context if none was passed.
         if context is None:
             context = ssl._create_stdlib_context()
-        return context.wrap_socket(sock)
+        server_hostname = hostname if ssl.HAS_SNI else None
+        return context.wrap_socket(sock, server_hostname=server_hostname)
 
 
 # The classes themselves
@@ -1005,7 +1006,7 @@ class _NNTPBase:
             resp = self._shortcmd('STARTTLS')
             if resp.startswith('382'):
                 self.file.close()
-                self.sock = _encrypt_on(self.sock, context)
+                self.sock = _encrypt_on(self.sock, context, self.host)
                 self.file = self.sock.makefile("rwb")
                 self.tls_on = True
                 # Capabilities may change after TLS starts up, so ask for them
@@ -1065,7 +1066,7 @@ if _have_ssl:
             in default port and the `ssl_context` argument for SSL connections.
             """
             self.sock = socket.create_connection((host, port), timeout)
-            self.sock = _encrypt_on(self.sock, ssl_context)
+            self.sock = _encrypt_on(self.sock, ssl_context, host)
             file = self.sock.makefile("rwb")
             _NNTPBase.__init__(self, file, host,
                                readermode=readermode, timeout=timeout)