Another small update to the patch, just in case anyone wants to build it against OpenSSL versions older than 1.0.2 (let's say on Ubuntu 12.04).
It now checks for the OpenSSL version instead of for SSL_CTRL_SET_TLSEXT_HOSTNAME (which has been around since 0.9.8.something, so this change is safe in that regard). The a2i_IPADDRESS function was introduced in 1.0.2; the patch calls it to determine if the ServerName TLS extension info should be set (SNI is not allowed for IP addresses, just for hostnames).
For anything before OpenSSL 1.0.2 (because a2i_IPADDRESS is not available there), SNI wouldn't be done.
Since nothing before OpenSSL 1.1.1 supports TLSv1.3 anyway (and that's when the problem occurs in the first place), that approach seems better.
Another small update to the patch, just in case anyone wants to build it against OpenSSL versions older than 1.0.2 (let's say on Ubuntu 12.04).
It now checks for the OpenSSL version instead of for SSL_CTRL_ SET_TLSEXT_ HOSTNAME (which has been around since 0.9.8.something, so this change is safe in that regard). The a2i_IPADDRESS function was introduced in 1.0.2; the patch calls it to determine if the ServerName TLS extension info should be set (SNI is not allowed for IP addresses, just for hostnames).
For anything before OpenSSL 1.0.2 (because a2i_IPADDRESS is not available there), SNI wouldn't be done.
Since nothing before OpenSSL 1.1.1 supports TLSv1.3 anyway (and that's when the problem occurs in the first place), that approach seems better.
P.S. have the info on a2i_IPADDRESS version availability from https:/ /github. com/python/ cpython/ commit/ e9370a47389903b b72badc95032ec8 4a0ebbf8cc, which does even more extra correct things for ancient OpenSSL versions, but that doesn't apply to Ubuntu.