SNI Requirement on Python 2.6

[jborean93]

My Platform

Python 2.6 using pip==9.0.3.

The issue here is that pip install ... doesn't support SNI due to the ancient version of Python that is in use (2.6's ssl module doesn't support SNI). Totally understand that SNI support on 2.6 requires pyOpenSSL and the injection code to be run but the issue is the SNI requirement seemed to have just popped out of nowhere. This was working just fine but now is not so I was wondering if this was an intentional change?

Fastly Debug

$ pip install six
Collecting six
  Certificate did not match expected hostname: files.pythonhosted.org. Certificate: {'notAfter': 'Apr 28 19:20:25 2021 GMT', 'subjectAltName': ((u'DNS', 'r.ssl.fastly.net'), (u'DNS',
 '*.catchpoint.com'), (u'DNS', '*.cnn.io'), (u'DNS', '*.dollarshaveclub.com'), (u'DNS', '*.eater.com'), (u'DNS', '*.fastly.picmonkey.com'), (u'DNS', '*.files.saymedia-content.com'),
(u'DNS', '*.ft.com'), (u'DNS', '*.meetupstatic.com'), (u'DNS', '*.nfl.com'), (u'DNS', '*.pagar.me'), (u'DNS', '*.picmonkey.com'), (u'DNS', '*.realself.com'), (u'DNS', '*.sbnation.com
'), (u'DNS', '*.shakr.com'), (u'DNS', '*.streamable.com'), (u'DNS', '*.surfly.com'), (u'DNS', '*.theverge.com'), (u'DNS', '*.thrillist.com'), (u'DNS', '*.vox-cdn.com'), (u'DNS', '*.v
ox.com'), (u'DNS', '*.voxmedia.com'), (u'DNS', 'eater.com'), (u'DNS', 'ft.com'), (u'DNS', 'i.gse.io'), (u'DNS', 'picmonkey.com'), (u'DNS', 'realself.com'), (u'DNS', 'static.wixstatic
.com'), (u'DNS', 'streamable.com'), (u'DNS', 'surfly.com'), (u'DNS', 'theverge.com'), (u'DNS', 'vox-cdn.com'), (u'DNS', 'vox.com'), (u'DNS', 'www.joyent.com')), 'subject': ((('countr
yName', u'US'),), (('stateOrProvinceName', u'California'),), (('localityName', u'San Francisco'),), (('organizationName', u'Fastly, Inc'),), (('commonName', u'r.ssl.fastly.net'),))}
  Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(CertificateError("hostname 'files.pythonhosted.org' doesn't matc
h either of 'r.ssl.fastly.net', '*.catchpoint.com', '*.cnn.io', '*.dollarshaveclub.com', '*.eater.com', '*.fastly.picmonkey.com', '*.files.saymedia-content.com', '*.ft.com', '*.meetu
pstatic.com', '*.nfl.com', '*.pagar.me', '*.picmonkey.com', '*.realself.com', '*.sbnation.com', '*.shakr.com', '*.streamable.com', '*.surfly.com', '*.theverge.com', '*.thrillist.com'
, '*.vox-cdn.com', '*.vox.com', '*.voxmedia.com', 'eater.com', 'ft.com', 'i.gse.io', 'picmonkey.com', 'realself.com', 'static.wixstatic.com', 'streamable.com', 'surfly.com', 'theverg
e.com', 'vox-cdn.com', 'vox.com', 'www.joyent.com'",),)': /packages/fc/e0/acb6a5112d364e3e279b3da3454b60e852d7dbf3e926193864f62244d03a/smbprotocol-0.2.0-py2.py3-none-any.whl

DNS Resolution

$ dig pypi.org A

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> pypi.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1768
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;pypi.org.                      IN      A

;; ANSWER SECTION:
pypi.org.               15719   IN      A       151.101.192.223
pypi.org.               15719   IN      A       151.101.128.223
pypi.org.               15719   IN      A       151.101.64.223
pypi.org.               15719   IN      A       151.101.0.223

;; Query time: 3 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Mar 23 21:22:56 UTC 2021
;; MSG SIZE  rcvd: 101

$ dig pypi.org AAAA

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> pypi.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34423
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;pypi.org.                      IN      AAAA

;; ANSWER SECTION:
pypi.org.               82894   IN      AAAA    2a04:4e42:600::223
pypi.org.               82894   IN      AAAA    2a04:4e42:400::223
pypi.org.               82894   IN      AAAA    2a04:4e42:200::223
pypi.org.               82894   IN      AAAA    2a04:4e42::223

;; Query time: 5 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Mar 23 21:23:10 UTC 2021
;; MSG SIZE  rcvd: 149

$ dig files.pythonhosted.org A

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> files.pythonhosted.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22116
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;files.pythonhosted.org.                IN      A

;; ANSWER SECTION:
files.pythonhosted.org. 27200   IN      CNAME   dualstack.r.ssl.global.fastly.net.
dualstack.r.ssl.global.fastly.net. 30 IN A      151.101.97.63

;; Query time: 6 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Mar 23 21:23:23 UTC 2021
;; MSG SIZE  rcvd: 114

$ dig files.pythonhosted.org AAAA

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> files.pythonhosted.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11339
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;files.pythonhosted.org.                IN      AAAA

;; ANSWER SECTION:
files.pythonhosted.org. 27195   IN      CNAME   dualstack.r.ssl.global.fastly.net.
dualstack.r.ssl.global.fastly.net. 30 IN AAAA   2a04:4e42:17::319

;; Query time: 9 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Mar 23 21:23:28 UTC 2021
;; MSG SIZE  rcvd: 126

Traceroutes / IPv4

$ traceroute pypi.org

traceroute to pypi.org (151.101.0.223), 30 hops max, 60 byte packets
 1  172.17.0.1 (172.17.0.1)  0.370 ms  0.318 ms  0.300 ms
 2  RT-AX58U-BB40 (192.168.0.1)  1.804 ms  1.779 ms  1.764 ms
 3  100.64.72.1 (100.64.72.1)  3.525 ms  3.389 ms  3.490 ms
 4  core01-b1.bne.launtel.net.au (87.121.75.253)  3.658 ms  3.632 ms  3.743 ms
 5  as4826.brisbane.megaport.com (103.26.70.97)  4.225 ms  4.067 ms  4.184 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

$ traceroute files.pythonhosted.org

traceroute to files.pythonhosted.org (151.101.97.63), 30 hops max, 60 byte packets
 1  172.17.0.1 (172.17.0.1)  0.381 ms  0.328 ms  0.309 ms
 2  RT-AX58U-BB40 (192.168.0.1)  1.922 ms  2.017 ms  1.999 ms
 3  100.64.72.1 (100.64.72.1)  3.475 ms  3.553 ms  3.523 ms
 4  core01-b1.bne.launtel.net.au (87.121.75.253)  3.679 ms  3.656 ms  3.643 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Traceroutes / IPv6 (If available)

N/A

HTTPS Requests / IPv4

$ curl -vvv -I --ipv4 https://pypi.org/pypi/pip/json

*   Trying 151.101.0.223...
* TCP_NODELAY set
* Connected to pypi.org (151.101.0.223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=3359300; C=US; ST=Oregon; L=Beaverton; O=Python Software Foundation; CN=www.python.org
*  start date: Sep 29 00:00:00 2020 GMT
*  expire date: Oct 31 00:00:00 2021 GMT
*  subjectAltName: host "pypi.org" matched cert's "pypi.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55d293b925c0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> HEAD /pypi/pip/json HTTP/2
> Host: pypi.org
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200
HTTP/2 200
< access-control-allow-headers: Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since
access-control-allow-headers: Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since
< access-control-allow-methods: GET
access-control-allow-methods: GET
< access-control-allow-origin: *
access-control-allow-origin: *
< access-control-expose-headers: X-PyPI-Last-Serial
access-control-expose-headers: X-PyPI-Last-Serial
< access-control-max-age: 86400
access-control-max-age: 86400
< cache-control: max-age=900, public
cache-control: max-age=900, public
< content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self' https://api.github.com/repos/ *.fastly-insights.com sentry.io https://api.pwnedpasswords.com https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://warehouse-camo.ingress.cmh1.psfhosted.org/ www.google-analytics.com *.fastly-insights.com; script-src 'self' www.googletagmanager.com www.google-analytics.com *.fastly-insights.com https://cdn.ravenjs.com; style-src 'self' fonts.googleapis.com; worker-src *.fastly-insights.com
content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self' https://api.github.com/repos/ *.fastly-insights.com sentry.io https://api.pwnedpasswords.com https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://warehouse-camo.ingress.cmh1.psfhosted.org/ www.google-analytics.com *.fastly-insights.com; script-src 'self' www.googletagmanager.com www.google-analytics.com *.fastly-insights.com https://cdn.ravenjs.com; style-src 'self' fonts.googleapis.com; worker-src *.fastly-insights.com
< content-type: application/json
content-type: application/json
< etag: "GJ2MzzNzT4zaHofzvnmRcA"
etag: "GJ2MzzNzT4zaHofzvnmRcA"
< referrer-policy: origin-when-cross-origin
referrer-policy: origin-when-cross-origin
< server: nginx/1.13.9
server: nginx/1.13.9
< x-pypi-last-serial: 9272759
x-pypi-last-serial: 9272759
< accept-ranges: bytes
accept-ranges: bytes
< date: Tue, 23 Mar 2021 21:30:20 GMT
date: Tue, 23 Mar 2021 21:30:20 GMT
< x-served-by: cache-bwi5140-BWI, cache-bne7723-BNE
x-served-by: cache-bwi5140-BWI, cache-bne7723-BNE
< x-cache: HIT, HIT
x-cache: HIT, HIT
< x-cache-hits: 3, 2
x-cache-hits: 3, 2
< x-timer: S1616535020.468094,VS0,VE0
x-timer: S1616535020.468094,VS0,VE0
< vary: Accept-Encoding, Accept-Encoding
vary: Accept-Encoding, Accept-Encoding
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
< content-length: 117476
content-length: 117476

<
* Connection #0 to host pypi.org left intac

$ curl -vvv -I --ipv4 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz

*   Trying 151.101.97.63...
* TCP_NODELAY set
* Connected to files.pythonhosted.org (151.101.97.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.pythonhosted.org
*  start date: Mar 22 19:18:08 2021 GMT
*  expire date: Apr 23 19:18:07 2022 GMT
*  subjectAltName: host "files.pythonhosted.org" matched cert's "*.pythonhosted.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA 2020
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55bbb80585c0)
> HEAD /packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz HTTP/2
> Host: files.pythonhosted.org
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< last-modified: Wed, 26 Feb 2020 17:47:37 GMT
last-modified: Wed, 26 Feb 2020 17:47:37 GMT
< etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
< content-type: binary/octet-stream
content-type: binary/octet-stream
< x-goog-hash: crc32c=Om2N1A==
x-goog-hash: crc32c=Om2N1A==
< x-goog-hash: md5=g6F3dW4sgB0LOm97DU8/fg==
x-goog-hash: md5=g6F3dW4sgB0LOm97DU8/fg==
< server: UploadServer
server: UploadServer
< cache-control: max-age=365000000, immutable, public
cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
accept-ranges: bytes
< date: Tue, 23 Mar 2021 21:31:32 GMT
date: Tue, 23 Mar 2021 21:31:32 GMT
< age: 506754
age: 506754
< x-served-by: cache-sea4442-SEA, cache-bne7720-BNE
x-served-by: cache-sea4442-SEA, cache-bne7720-BNE
< x-cache: HIT, MISS
x-cache: HIT, MISS
< x-cache-hits: 1, 0
x-cache-hits: 1, 0
< x-timer: S1616535093.533766,VS0,VE336
x-timer: S1616535093.533766,VS0,VE336
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
< x-robots-header: noindex
x-robots-header: noindex
< content-length: 1246072
content-length: 1246072

<
* Connection #0 to host files.pythonhosted.org left intact

HTTPS Requests / IPv6 (If available)

N/A

TLS Debug / IPv4

$ echo -n | openssl s_client -4 -connect pypi.org:443

CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 3359300, C = US, ST = Oregon, L = Beaverton, O = Python Software Founda
tion, CN = www.python.org
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 3359300, C = US, ST = Oregon, L = Beaverton, O = Python Software Foundatio
n, CN = www.python.org
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIBDCCBuygAwIBAgIQCgvu6rKU/G36blVsu5S6BzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTIwMDkyOTAwMDAwMFoXDTIxMTAzMTAw
MDAwMFowgdExHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMzU5MzAwMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMRIwEAYDVQQH
EwlCZWF2ZXJ0b24xIzAhBgNVBAoTGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9u
MRcwFQYDVQQDEw53d3cucHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKb7uzSV2u41/YZbs+vvB5ob5BVQtKYKg+npgFfdvn/yMuG5Vrvl
iokKJL3RtQGQDGZmYkhsUah2yiYCsQ0dzjBUquG1yxzprRkn1/m/dtwDjH8+mm+t
my80sSVp3TVCnnDuuzazxe0HBGcRM8yqnW5aN+AXV074UUuRRx0ixZy3ttoHl66M
MshcFdJ1mKOKm1ZKCque4Ydk1EizWSjiDtIj4wRzHbOjuGtZrbv+uw396ILmI6oI
AcKIC7VkteEe2s04cXOh7inQgw+fMeiVEnLs+TADNAvYG+4zYNk1ddL3QxiqYTld
JyyUAdIdE5+Q1U2kJrVQnCvAWCAMFVElBzkCAwEAAaOCBDEwggQtMB8GA1UdIwQY
MBaAFD3TUKXWoK3u80pgCmXTIdT4+NYPMB0GA1UdDgQWBBREsu1+8w+FHnZxpf7i
oOhf7b0BVjCCAVQGA1UdEQSCAUswggFHgg53d3cucHl0aG9uLm9yZ4IPZG9jcy5w
eXRob24ub3Jngg9idWdzLnB5dGhvbi5vcmeCD3dpa2kucHl0aG9uLm9yZ4INaGcu
cHl0aG9uLm9yZ4IPbWFpbC5weXRob24ub3Jngg9weXBpLnB5dGhvbi5vcmeCFHBh
Y2thZ2luZy5weXRob24ub3JnghBsb2dpbi5weXRob24ub3Jnggx1cy5weWNvbi5v
cmeCCHB5cGkub3JnggdweXBpLmlvggxkb2NzLnB5cGkuaW+CDWRvY3MucHlwaS5v
cmeCDmRvbmF0ZS5weXBpLmlvgg9kb25hdGUucHlwaS5vcmeCE2Rldmd1aWRlLnB5
dGhvbi5vcmeCE3d3dy5idWdzLnB5dGhvbi5vcmeCCnB5dGhvbi5vcmeCFGRvd25s
b2Fkcy5weXRob24ub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGln
aWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWczLmNybDA0oDKgMIYuaHR0cDovL2Ny
bDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWczLmNybDBLBgNVHSAERDBC
MDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2Vy
dC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEFBQcBAQR8MHowJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBSBggrBgEFBQcwAoZGaHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlv
blNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHcA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF02oPpyAAA
BAMASDBGAiEArg/ruTBvWubivrxwRytv8VGCpA3yVHTaKFiObDBcHrcCIQCFzUvP
ib7qJGqbLP5IWY11D6sxJvv/ZvIopE0SZW6CrAB2AFzcQ5L+5qtFRLFemtRW5hA3
+9X6R9yhc5SyXub2xw7KAAABdNqD6hoAAAQDAEcwRQIhAMgXNU82IlkTHbOUc/7L
ToliVL6Jin00+mc1isj0q6wiAiBsVKEdXbfCsLJZGb74Lkx1axdiMtDZWVSUJdTJ
7DtzJTANBgkqhkiG9w0BAQsFAAOCAQEAW84GOYCg3n2dfoKtNl1s20kkvbItnvSr
ysmVrCjG+DfvW+Z71Z9m0sukZOY0Aweky+DgvHZUkbPgZBoJ5L915hC8uKlgbk6K
0TjM7aKZkbtj8x68s3lOC0BiFC05WQxV82AxJkx5wygfGmavS703TPrGDb3XXcho
8cg409X9vcWnfVLohO/RAwwlhh8sYC8o46lGgC2k6F2S7Okgqxwsj+RgJ0d777J8
x7VVGTruzaUz8laEcs4jnuPrGw6OWT2v7YiEq3bIlz5hbYa/c6AGvJ44QUr+uEFW
okZVHOUC/rI3HN8rsApSNQRIVH6VCs1Zbz298lDhoBELMapBQEl9RA==
-----END CERTIFICATE-----
subject=businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 3359300, C = US, ST = Oregon, L = Beaverton, O = Python Software Foundation, CN = www.python.org

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3831 bytes and written 390 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: AA64D04000164FC297C813DB98973955432043150B0DF080EB6BEAAB8E1202FC
    Session-ID-ctx:
    Resumption PSK: 94E91BF64DBBD0F3CA08107BECF0FBF259974215D426A534817365598931E3D170A52963310783B7D6B79BCC269FC841
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 40 f8 5a 5a 24 15 b1 fb-4d 9e 1e c3 93 59 46 a4   @.ZZ$...M....YF.
    0010 - 48 1b 40 a8 b2 43 40 e6-ed c6 fb 06 8f 01 02 e8   H.@..C@.........
    0020 - 47 1d e4 82 a0 f0 3e 90-9a e9 40 32 cc 28 8c f5   G.....>...@2.(..
    0030 - 25 69 19 a7 f3 e7 9c 10-f9 d1 f6 e8 7c 97 e5 b4   %i..........|...
    0040 - f5 11 ad d0 6b 71 e0 9a-a4 0d 89 d8 89 1a ff f5   ....kq..........
    0050 - d9 94 85 51 d2 c7 23 2e-48 d8 5c f8 ea e8 4d 57   ...Q..#.H.\...MW
    0060 - 60 ba 8c 59 04 5f 1f 92-fb e5 77 c2 37 e8 5b 83   `..Y._....w.7.[.
    0070 - 8e eb e1 a2 9e a9 34 d8-a8 ea 3a 05 31 44 32 d5   ......4...:.1D2.
    0080 - 11 2b ef 6d e4 4b aa 85-4c 9f 67 21 8f ca 47 a7   .+.m.K..L.g!..G.
    0090 - 64 74 4a 84 33 00 a0 02-e2 15 e1 89 ad 3f 9c 1d   dtJ.3........?..

    Start Time: 1616535776
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE

$ echo -n | openssl s_client -4 -connect files.pythonhosted.org:443

CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2020
verify return:1
depth=0 CN = *.pythonhosted.org
verify return:1
---
Certificate chain
 0 s:CN = *.pythonhosted.org
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2020
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2020
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGVzCCBT+gAwIBAgIQAbOmkcpu3Zik7We4fuNZVDANBgkqhkiG9w0BAQsFADBV
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTErMCkGA1UE
AxMiR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgMjAyMDAeFw0yMTAzMjIx
OTE4MDhaFw0yMjA0MjMxOTE4MDdaMB0xGzAZBgNVBAMMEioucHl0aG9uaG9zdGVk
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMeHHF1hziNOVtT/
av2/NBGqxbVs5sorNGy5kZRy1UkxAPlnqDFAHwrTQwX3zzAOt0EVk72YylZ01Fpw
W0/21wx5IYD6l2nMO9DeNbJ+7NUxMsOtzUPNvkKcXh3nNmDH6OOA4JUlYGa5NStk
ya/oGwM1dnZ44znUr0giuMa7vPmOMaALOGEejehJweR8uJupxx6cuuW3yTjTtSl5
yyYzR3AW5HF8lrVRRkpnh5hFVvwYk6WzC7Xu2+h6cpnkNoQ3YPrzG+YZsNqdS64A
qhdSUCD9YxQ1YXNr7NmGA11bA0vXOKbXWNFH1XkAk7Pw5Klg0QcZx0tm1dJeLLW1
pf6SGusCAwEAAaOCA1kwggNVMB0GA1UdEQQWMBSCEioucHl0aG9uaG9zdGVkLm9y
ZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MB0GA1UdDgQWBBRG9F9BouglvyxwuzQ8NkERZ6+9UDBWBgNVHSAETzBNMEEGCSsG
AQQBoDIBCjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv
bS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwCQYDVR0TBAIwADCBmgYIKwYBBQUHAQEE
gY0wgYowPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2Nh
L2dzYXRsYXNyM2R2dGxzY2EyMDIwMEgGCCsGAQUFBzAChjxodHRwOi8vc2VjdXJl
Lmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2F0bGFzcjNkdnRsc2NhMjAyMC5jcnQw
HwYDVR0jBBgwFoAUQm1XLU8fJnd0pidk9oD6j0ho/nwwRgYDVR0fBD8wPTA7oDmg
N4Y1aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9jYS9nc2F0bGFzcjNkdnRsc2Nh
MjAyMC5jcmwwggF7BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AG9Tdqwx8DEZ2JkA
pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABeFtfgMAAAAQDAEYwRAIgDlDpR/h4WEVy
GnDftsO1VDzNN3iPVDqeRSNzOd94sIUCIELhWRt8mR0ti43gAjEhndFH0RH0pjq4
j8DRxhG6C3azAHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF4
W1+AuAAABAMARjBEAiB6pGWfIf96OrAAbShgiGEGEd3IUkjl2JsYeM325DK0zQIg
LyE8YNhGlHMMDgkj2LVwg2P7eojp4yn4EWnUSh+n/MYAdQBRo7D1/QF5nFZtuDd4
jwykeswbJ8v3nohCmg3+1IsF5QAAAXhbX4FwAAAEAwBGMEQCIBRR1BPhQnIDjZuw
AGU5+Hx4pRv6plnZj91Jx/K98UILAiAi0Z+fhj97/KlYM1jkY8t8MheEDHjMRSno
lYWfG+pY0jANBgkqhkiG9w0BAQsFAAOCAQEAMieCFPqqYPEFHfeBeov+j7Hk/Re4
jBccUU0znIg3qte0OOS+5gEgpUnLoqhOuOEEYxOOafqZ4C/eWDF44wPi60X39Lbq
0WOdnYqtNaz6AEGej9F3Xg/vmTHOFY1aFi8domLhRJzYrXv7qhCkXJLBlqYw7kZC
vepp12J13CIWpdtZzCR3S7uqqaKoEYewNTAzD2KS/xnlSYK6kQLpdcsFeJ+zk/iR
nOS9lKLZgJY4YwbATIHRJyDHn7xgKGInhsviXcItO8JVLsQ7SFILTvoCOp7jsw/u
mMe0OGuFnNpAkzg/MFxdh6oO18rDnLTnNZ0YVp6eYgMoerwwxVZs1XrkEg==
-----END CERTIFICATE-----
subject=CN = *.pythonhosted.org

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2020

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3497 bytes and written 417 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: ED1B7BE3FF05EFB6752C07C081722A057ADA1D71897BA39F5A67848DE661753B
    Session-ID-ctx:
    Master-Key: 8941D926C8347CA0381E9D88AAA1EA9DD62478CC7FBE049313CB9E9906E4D43A19B903C0FE60BD8590B3EC71D7ECF1FE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 f8 5a 5a 24 15 b1 fb-4d 9e 1e c3 93 59 46 a4   @.ZZ$...M....YF.
    0010 - 71 de c4 1a a9 51 68 76-2e ca 45 71 04 b4 37 10   q....Qhv..Eq..7.
    0020 - 84 d7 6a 74 09 82 3d 3d-01 e1 0d 08 28 52 d9 ae   ..jt..==....(R..
    0030 - 75 c7 ec b3 ee df 90 5d-63 6b d1 7c 52 54 ac 90   u......]ck.|RT..
    0040 - 49 2c 19 03 b4 50 8e 56-a6 dc 3d 2d 31 c0 d1 68   I,...P.V..=-1..h
    0050 - ee 62 03 75 32 29 9c 75-bc 77 78 f5 35 d2 03 73   .b.u2).u.wx.5..s
    0060 - 82 8a 8b 76 40 b7 99 63-05 49 e0 60 3e 5a 18 42   ...v@..c.I.`>Z.B
    0070 - b7 5b 58 03 8e ba 07 9f-a7 fc 85 c7 45 a9 55 02   .[X.........E.U.
    0080 - b4 c8 89 c7 e5 1a 0f 23-50 7f 1e cd 60 db 91 0b   .......#P...`...
    0090 - 4c 55 ff b0 66 ab 17 31-f7 ee 80 9c 51 85 d0 57   LU..f..1....Q..W
    00a0 - a9 bb 68 9e 50 fc 32 5b-02 20 e9 5e 91 9c eb af   ..h.P.2[. .^....
    00b0 - cf d5 9e 42 4a 27 4c 64-3a 7d 25 2d de 78 85 95   ...BJ'Ld:}%-.x..

    Start Time: 1616535824
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

TLS Debug / IPv4 without SNI

Note: the cert shown by pip is presented here because SNI is disabled in the openssl call to replicate Python 2.6's behaviour

$ echo -n | openssl s_client -4 -noservername -connect files.pythonhosted.org:443

CONNECTED(00000005)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIRjCCBy6gAwIBAgIMJrEVtnw2k+M+uodaMA0GCSqGSIb3DQEBCwUAMFcxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYDVQQDEyRH
bG9iYWxTaWduIENsb3VkU1NMIENBIC0gU0hBMjU2IC0gRzMwHhcNMjEwMzIzMTYy
NzU5WhcNMjEwNDI4MTkyMDI1WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEUMBIGA1UECgwLRmFzdGx5
LCBJbmMxGTAXBgNVBAMMEHIuc3NsLmZhc3RseS5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDTciJwVUeYpeFv0YzWACjrrAg7Qy2yWqLNrGXTJu0m
0bWfeB9kA3gY3gny66LF6W/hYVXtf+oCneDWIpm7eO8DogP+k9H2uwOkCnEXOGog
Jj1QfWnlqYQSpK0HRZ8idm6EglJANXBqK/G+Nbnqb0P68MsdaTKLo1zHyRcEncbZ
OnWAgYkZ1s5CyNQmNhn741JrkXuEcLjuRi5oFP252w8qhcxLAzI9T7pfym9ERcvM
kwZUXUIv9z0qrU3HikASfL6TC2O1qfHwVd4RvR74WOdDHkS02AQWx3NpVbfBLI53
GM/f59vocj3z6cV5TmUcbgrvYt2Lm215mjIOefyzxqlxAgMBAAGjggT8MIIE+DAO
BgNVHQ8BAf8EBAMCBaAwgYoGCCsGAQUFBwEBBH4wfDBCBggrBgEFBQcwAoY2aHR0
cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvY2xvdWRzc2xzaGEyZzMu
Y3J0MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vY2xv
dWRzc2xzaGEyZzMwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcC
ARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EM
AQICMAkGA1UdEwQCMAAwggITBgNVHREEggIKMIICBoIQci5zc2wuZmFzdGx5Lm5l
dIIQKi5jYXRjaHBvaW50LmNvbYIIKi5jbm4uaW+CFSouZG9sbGFyc2hhdmVjbHVi
LmNvbYILKi5lYXRlci5jb22CFiouZmFzdGx5LnBpY21vbmtleS5jb22CHCouZmls
ZXMuc2F5bWVkaWEtY29udGVudC5jb22CCCouZnQuY29tghIqLm1lZXR1cHN0YXRp
Yy5jb22CCSoubmZsLmNvbYIKKi5wYWdhci5tZYIPKi5waWNtb25rZXkuY29tgg4q
LnJlYWxzZWxmLmNvbYIOKi5zYm5hdGlvbi5jb22CCyouc2hha3IuY29tghAqLnN0
cmVhbWFibGUuY29tggwqLnN1cmZseS5jb22CDioudGhldmVyZ2UuY29tgg8qLnRo
cmlsbGlzdC5jb22CDSoudm94LWNkbi5jb22CCSoudm94LmNvbYIOKi52b3htZWRp
YS5jb22CCWVhdGVyLmNvbYIGZnQuY29tgghpLmdzZS5pb4INcGljbW9ua2V5LmNv
bYIMcmVhbHNlbGYuY29tghRzdGF0aWMud2l4c3RhdGljLmNvbYIOc3RyZWFtYWJs
ZS5jb22CCnN1cmZseS5jb22CDHRoZXZlcmdlLmNvbYILdm94LWNkbi5jb22CB3Zv
eC5jb22CDnd3dy5qb3llbnQuY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBSpK4fhziRHOxu/z4U3AlWdDZRY5jAdBgNVHQ4EFgQU
8WPkxcyYMOyDfYryy2qnZTH95r8wggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB3
AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABeF/qGDcAAAQDAEgw
RgIhAISIL5bX4HXeCVTN9RbOxoZIlTvPAHqVtLOXvaWaB5CoAiEAqHMB0QyTJcCE
URiJHrCHHMnZqwQKcjYdWTCJtCGxDhcAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAl
CBcvo6odBxPTDAAAAXhf6hhbAAAEAwBGMEQCIBS3R/dFRh/9j1FsCop6mMpJrKzR
6ysCD7Xu8y9Tvw/LAiBWt+ZMtB2Gmn45V4g0dOHOfibHmMGBi8zk97qQ31/YTgB2
APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABeF/qGD0AAAQDAEcw
RQIhAJPkbvvRT7iQ84A9dO0D9GmPUnKl4bU5Dc7LR2Yl92NPAiBQAXFavccJiwDK
wBHGyYFREW5LtP/KsgerPlkXjVSdRzANBgkqhkiG9w0BAQsFAAOCAQEAPKadZIFK
/u6SZ1XsHpkTh1NNBx0cr8Xb8xsH/lnJlaGI1mWAVvlE1hhJd2r3q02ioekpFGuO
G2UbMfTwhP+SQyrPZKhGpx7qIl3sMkkN21KwiIO2HViFc9636bvIDh4ji5h1vCFF
pBXtVT0Lkf2m09XpGr5f74EgMh5rraajBjQSHF9QMdv4CpIJGhVmG9Wj2Ax7jDLN
69wxjjZdhpevf83mzIpeCZyhuiW9hobmenC9NctQ9iUDgR+EXBhtowlCnVJpr8fI
fnmpEtU1cB6e24VUYHKm8wEOhNZFvY7CkC5k7PLqp+MUn0l5RAQZmYLT+retrOLI
JFjSFOTBhoiETw==
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3917 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 68E8EC9FE665133C624683EBFF03C23D4F376D3519C25A8946F059AC23CAF9C4
    Session-ID-ctx:
    Master-Key: 13961730B580380B99774C3442A3D009DA17DDAB2D129F9299F2DC36974DFF9399289823B2E9FD382A3CF64E2C42FB16
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 f8 5a 5a 24 15 b1 fb-4d 9e 1e c3 93 59 46 a4   @.ZZ$...M....YF.
    0010 - fa a7 ec cb 62 44 74 ad-56 ea 2a a1 9a 24 53 07   ....bDt.V.*..$S.
    0020 - bb e4 4e e8 2c 12 aa 72-01 2b 17 2e c2 68 2e 73   ..N.,..r.+...h.s
    0030 - 62 4c 55 b4 6e 80 f2 cf-65 25 99 c1 8b 85 c0 07   bLU.n...e%......
    0040 - 46 dc 67 c2 39 34 69 6a-af 37 36 c6 14 50 a1 b4   F.g.94ij.76..P..
    0050 - ef 5e 1e 39 9f 8d 6a de-4e 3f 9d 94 ea 39 04 c4   .^.9..j.N?...9..
    0060 - 77 3c fb b6 41 74 85 a6-5a 52 7a 3f 8c 64 ef 05   w<..At..ZRz?.d..
    0070 - 6b 65 db 0f 9a 3d 09 27-84 57 7c b2 5f e1 1c 0f   ke...=.'.W|._...
    0080 - c8 66 18 9f 59 02 c5 ad-f9 c9 1a b6 32 be 5e e9   .f..Y.......2.^.
    0090 - c2 c4 8e 1d 0b 2e 93 8f-28 57 c1 77 7e 3d 0e 58   ........(W.w~=.X

    Start Time: 1616535969
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

TLS Debug / IPv6 (If available)

N/A

Code of Conduct

• [X] I agree to follow the PSF Code of Conduct

[webknjaz]

I'm 99% positive this happened on certificate renewal: Issued On Monday, March 22, 2021 at 8:18:08 PM. And I recall something similar happening the last year.

[webknjaz]

FWIW if the client is forced not to use SNI, the certificate received is one that belongs to Fastly. So this assumption may be incorrect (since the error pip gives mentions the whole bunch of SANs):

$ openssl s_client -connect files.pythonhosted.org:443 -noservername
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIRjCCBy6gAwIBAgIMJrEVtnw2k+M+uodaMA0GCSqGSIb3DQEBCwUAMFcxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYDVQQDEyRH
bG9iYWxTaWduIENsb3VkU1NMIENBIC0gU0hBMjU2IC0gRzMwHhcNMjEwMzIzMTYy
NzU5WhcNMjEwNDI4MTkyMDI1WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEUMBIGA1UECgwLRmFzdGx5
LCBJbmMxGTAXBgNVBAMMEHIuc3NsLmZhc3RseS5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDTciJwVUeYpeFv0YzWACjrrAg7Qy2yWqLNrGXTJu0m
0bWfeB9kA3gY3gny66LF6W/hYVXtf+oCneDWIpm7eO8DogP+k9H2uwOkCnEXOGog
Jj1QfWnlqYQSpK0HRZ8idm6EglJANXBqK/G+Nbnqb0P68MsdaTKLo1zHyRcEncbZ
OnWAgYkZ1s5CyNQmNhn741JrkXuEcLjuRi5oFP252w8qhcxLAzI9T7pfym9ERcvM
kwZUXUIv9z0qrU3HikASfL6TC2O1qfHwVd4RvR74WOdDHkS02AQWx3NpVbfBLI53
GM/f59vocj3z6cV5TmUcbgrvYt2Lm215mjIOefyzxqlxAgMBAAGjggT8MIIE+DAO
BgNVHQ8BAf8EBAMCBaAwgYoGCCsGAQUFBwEBBH4wfDBCBggrBgEFBQcwAoY2aHR0
cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvY2xvdWRzc2xzaGEyZzMu
Y3J0MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vY2xv
dWRzc2xzaGEyZzMwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcC
ARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EM
AQICMAkGA1UdEwQCMAAwggITBgNVHREEggIKMIICBoIQci5zc2wuZmFzdGx5Lm5l
dIIQKi5jYXRjaHBvaW50LmNvbYIIKi5jbm4uaW+CFSouZG9sbGFyc2hhdmVjbHVi
LmNvbYILKi5lYXRlci5jb22CFiouZmFzdGx5LnBpY21vbmtleS5jb22CHCouZmls
ZXMuc2F5bWVkaWEtY29udGVudC5jb22CCCouZnQuY29tghIqLm1lZXR1cHN0YXRp
Yy5jb22CCSoubmZsLmNvbYIKKi5wYWdhci5tZYIPKi5waWNtb25rZXkuY29tgg4q
LnJlYWxzZWxmLmNvbYIOKi5zYm5hdGlvbi5jb22CCyouc2hha3IuY29tghAqLnN0
cmVhbWFibGUuY29tggwqLnN1cmZseS5jb22CDioudGhldmVyZ2UuY29tgg8qLnRo
cmlsbGlzdC5jb22CDSoudm94LWNkbi5jb22CCSoudm94LmNvbYIOKi52b3htZWRp
YS5jb22CCWVhdGVyLmNvbYIGZnQuY29tgghpLmdzZS5pb4INcGljbW9ua2V5LmNv
bYIMcmVhbHNlbGYuY29tghRzdGF0aWMud2l4c3RhdGljLmNvbYIOc3RyZWFtYWJs
ZS5jb22CCnN1cmZseS5jb22CDHRoZXZlcmdlLmNvbYILdm94LWNkbi5jb22CB3Zv
eC5jb22CDnd3dy5qb3llbnQuY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBSpK4fhziRHOxu/z4U3AlWdDZRY5jAdBgNVHQ4EFgQU
8WPkxcyYMOyDfYryy2qnZTH95r8wggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB3
AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABeF/qGDcAAAQDAEgw
RgIhAISIL5bX4HXeCVTN9RbOxoZIlTvPAHqVtLOXvaWaB5CoAiEAqHMB0QyTJcCE
URiJHrCHHMnZqwQKcjYdWTCJtCGxDhcAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAl
CBcvo6odBxPTDAAAAXhf6hhbAAAEAwBGMEQCIBS3R/dFRh/9j1FsCop6mMpJrKzR
6ysCD7Xu8y9Tvw/LAiBWt+ZMtB2Gmn45V4g0dOHOfibHmMGBi8zk97qQ31/YTgB2
APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABeF/qGD0AAAQDAEcw
RQIhAJPkbvvRT7iQ84A9dO0D9GmPUnKl4bU5Dc7LR2Yl92NPAiBQAXFavccJiwDK
wBHGyYFREW5LtP/KsgerPlkXjVSdRzANBgkqhkiG9w0BAQsFAAOCAQEAPKadZIFK
/u6SZ1XsHpkTh1NNBx0cr8Xb8xsH/lnJlaGI1mWAVvlE1hhJd2r3q02ioekpFGuO
G2UbMfTwhP+SQyrPZKhGpx7qIl3sMkkN21KwiIO2HViFc9636bvIDh4ji5h1vCFF
pBXtVT0Lkf2m09XpGr5f74EgMh5rraajBjQSHF9QMdv4CpIJGhVmG9Wj2Ax7jDLN
69wxjjZdhpevf83mzIpeCZyhuiW9hobmenC9NctQ9iUDgR+EXBhtowlCnVJpr8fI
fnmpEtU1cB6e24VUYHKm8wEOhNZFvY7CkC5k7PLqp+MUn0l5RAQZmYLT+retrOLI
JFjSFOTBhoiETw==
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3917 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 8FA1BEC376BE18016E656D713FC4A2C39672ADB80F586BAA91449D2A6F9F84CF
    Session-ID-ctx: 
    Master-Key: 2E2E4F67911254DA30DBC96A3AAC51CF2B91577F6B321C8F162A572B9DCF72DE5528C066669872ACC581B1A2B3D251F2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 f8 5a 5a 24 15 b1 fb-4d 9e 1e c3 93 59 46 a4   @.ZZ$...M....YF.
    0010 - da c4 eb 79 f4 ba 80 66-25 72 ae 26 38 f0 3e 63   ...y...f%r.&8.>c
    0020 - e7 b1 16 35 4b f5 22 9c-6e ff 80 99 26 5f 8d a8   ...5K.".n...&_..
    0030 - 98 75 08 b4 6b 79 1f 8b-b5 6e 92 cb da c8 c4 68   .u..ky...n.....h
    0040 - fd e9 48 57 58 c8 db 73-3d 19 9f 39 58 98 61 90   ..HWX..s=..9X.a.
    0050 - d4 3c 6c 6d e9 08 91 ac-5f 50 6b 91 a0 02 67 54   .<lm...._Pk...gT
    0060 - b1 d3 a0 49 03 2c 6e 25-28 4a c0 4e 11 e6 40 65   ...I.,n%(J.N..@e
    0070 - 17 34 98 e3 e5 91 ba 66-a5 78 bf ec f6 9b af c7   .4.....f.x......
    0080 - be f5 9d 90 6a 18 16 a5-4d e7 7e 32 60 3c e1 27   ....j...M.~2`<.'
    0090 - e0 d3 1d 29 c0 2e 3a 82-63 31 03 87 15 84 26 e6   ...)..:.c1....&.

    Start Time: 1616536553
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

[webknjaz]

@ewdurbin could you take a look at this, please?

[mattclay]

Testing files.pythonhosted.org with Qualys SSL Labs confirms SNI is required and the alternative names do not match.

The latest test results for one of the servers (151.101.1.63) reports multiple relevant issues:

• "This site works only in browsers with SNI support"
• "MISMATCH" for "Alternative names" under Certificate 2 (No SNI)

[mattclay]

I've emailed Fastly support about this issue, in case it is a problem on their end, since nothing shows up on their status page.

[mattclay]

This is the response I received from Fastly support:

Thanks for chiming in and excellent question. After reviewing the SSL Labs results, you're seeing the mismatch in the certificate because that is the fallback certificate for non-SNI requests. As of right now, it appears you're on a shared certificate, and to remedy this issue, you will need to look into having a dedicated IP space, where you have control of how traffic is served for non-SNI requests.

Fastly Dedicated IP Spaces

Unfortunately this doesn't explain why this just started failing today.

[mattclay]

Fastly support sent a second response:

Can you tell me if the requests you are sending have the SNI servername header being sent? We did our migration this week where the shared cert is no longer the only cert on the IP address you've cnamed to. If that is the case, then you will get that servername mismatch.

And then another:

This issue should be resolved for the time being.

Please note well that the SAN cert that your SAN is on will be deprecated by Globalsign by May 2021. At that point, if your issue is with sending the SNI servername header, you may need to contact your Sales Rep or Account Manager here at Fastly for the options to accommodate non-SNI requests.

I've confirmed that pip install is working again now -- although based on the above statements, only temporarily.

[ewdurbin]

This is indeed #978, we were made aware that they planned to deprecate SNI support but missed further timeline information, which was delivered in a separate email thread, or we would have made announcements sooner.

[pradyunsg]

Consolidating into #978.

[molinav]

I wrote a get-pip for Python 2.6 (GNU/Linux x86_64) that should workaround this problem by forcing pip to use pyOpenSSL: https://gist.github.com/molinav/3b4f623edc5793154a0bdd9a78e739e9

It uses a similar approach to get-pip attaching all the required packages inside the script itself. After execution, pip will be able to reach PyPI under Python 2.6. I cannot reference it in #978 too because the comments are closed there.

[molinav]

For whoever that may be still interested on this, I moved my previous gist to an actual repository in GitHub: https://github.com/pylegacy/get-pip-pyopenssl

And it is possible to obtain get-pip-pyopenssl by just doing (under GNU/Linux):

wget http://pylegacy.org/hub/get-pip-pyopenssl.py
python get-pip-pyopenssl.py

Current supported versions include Python 2.6 and 2.7 under GNU/Linux and Windows, but it should be easily extendable in the future to more Python versions.