the trouble with python and SNI
Server Name Indication is a TLS extension that allows the client to tell the server what hostname it would like to talk to. It solves, in theory, one of the issues with moving a web server with many virtual hosts to https: different hostnames need different certs.
Unfortunately, python 2.7 doesn’t support SNI much to my regret. Thanks to an HN comment I was pointed to a python issue. The problem has been known about for five years, but fixing things isn’t the python way. Finally, somebody saw the light which led to PEP 466. Current status: partially implemented.
Where does this leave me? I could upgrade to python 3.4, but none of the auxiliary libraries I need (notably py-feedparser) are available as OpenBSD packages except for versions built against 2.7. Or I can wait for python 2.7.9, although as a practical matter that would also mean upgrading OpenBSD and everything else (and likely not until May) so maybe I’d rather not. And that’s if 2.7.9 actually includes working SNI support. Digging through the issue tracker, it sounds like only optional support will be included, and programs will need to be changed and updated as well. It’s very important that upgrades don’t make things work by accident.
There is also the inject_into_urllib3 approach which I’m honestly kind of scared of, but it could work.
Instead my solution was to change the Duo blog’s URL to a file on disk, fetched by ftp running out of cron.