> A question though: does it support server-side SNI? AFAIR server-side SNI requires you to be able to change a SSL object's context.
Yes, it does. See the following comment in _servername_callback():
/* Pass a PySSLSocket instance when using memory BIOs, but an ssl.SSLSocket
* when using sockets. Note that the latter is not a subclass of the
* former, but both do have a "context" property. THis supports the common
* use case of setting this property in the servername callback. */
The C-level _ssl._SSLSocket object is passed to the servername callback. It has a "context" property that can be set.
I realize the above is an abstraction violation between the C and Python level. Now that we have an SSLObject Python level API, I could update the code to store a weakref to the SSLObject in the _SSLSocket (just like it does for SSLSocket). That way I can pass the Python level object into the callback. Any thoughts?