Issue #19783: nntplib now supports SSLContext.check_hostname and server name

indication for TLS/SSL connections.

3 files changed, 16 insertions, 4 deletions

diff --git a/Doc/library/nntplib.rst b/Doc/library/nntplib.rst
index 0098041..a8145fe 100644
--- a/Doc/library/nntplib.rst
+++ b/Doc/library/nntplib.rst
@@ -102,6 +102,10 @@ The module itself defines the following classes:
 
    .. versionadded:: 3.2
 
+   .. versionchanged:: 3.4
+      The class now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).
 
 .. exception:: NNTPError
 
@@ -241,6 +245,10 @@ tuples or objects that the method normally returns will be empty.
 
    .. versionadded:: 3.2
 
+   .. versionchanged:: 3.4
+      The method now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).
 
 .. method:: NNTP.newgroups(date, *, file=None)
 
diff --git a/Lib/nntplib.py b/Lib/nntplib.py
index 046f483..fcb01d3 100644
--- a/Lib/nntplib.py
+++ b/Lib/nntplib.py
@@ -279,7 +279,7 @@ def _unparse_datetime(dt, legacy=False):
 
 if _have_ssl:
 
-    def _encrypt_on(sock, context):
+    def _encrypt_on(sock, context, hostname):
         """Wrap a socket in SSL/TLS. Arguments:
         - sock: Socket to wrap
         - context: SSL context to use for the encrypted connection
@@ -289,7 +289,8 @@ if _have_ssl:
         # Generate a default SSL context if none was passed.
         if context is None:
             context = ssl._create_stdlib_context()
-        return context.wrap_socket(sock)
+        server_hostname = hostname if ssl.HAS_SNI else None
+        return context.wrap_socket(sock, server_hostname=server_hostname)
 
 
 # The classes themselves
@@ -1005,7 +1006,7 @@ class _NNTPBase:
             resp = self._shortcmd('STARTTLS')
             if resp.startswith('382'):
                 self.file.close()
-                self.sock = _encrypt_on(self.sock, context)
+                self.sock = _encrypt_on(self.sock, context, self.host)
                 self.file = self.sock.makefile("rwb")
                 self.tls_on = True
                 # Capabilities may change after TLS starts up, so ask for them
@@ -1065,7 +1066,7 @@ if _have_ssl:
             in default port and the `ssl_context` argument for SSL connections.
             """
             self.sock = socket.create_connection((host, port), timeout)
-            self.sock = _encrypt_on(self.sock, ssl_context)
+            self.sock = _encrypt_on(self.sock, ssl_context, host)
             file = self.sock.makefile("rwb")
             _NNTPBase.__init__(self, file, host,
                                readermode=readermode, timeout=timeout)
diff --git a/Misc/NEWS b/Misc/NEWS
index 9f0dbb9..20b80c1 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,9 @@ Library
 - Issue #19784: poplib now supports SSLContext.check_hostname and server name
   indication for TLS/SSL connections.
 
+- Issue #19783: nntplib now supports SSLContext.check_hostname and server name
+  indication for TLS/SSL connections.
+
 - Issue #19782: imaplib now supports SSLContext.check_hostname and server name
   indication for TLS/SSL connections.