From 08b63abe266af9e858f63d752ec3419bae9bbea0 Mon Sep 17 00:00:00 2001
From: Konstantin Lebedev <kostyan.lebedev@gmail.com>
Date: Mon, 16 Nov 2020 20:29:08 +0300
Subject: [PATCH] Add SSL SNI support

---
 clickhouse_driver/connection.py | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/clickhouse_driver/connection.py b/clickhouse_driver/connection.py
index d2fab0e2..4bcd89df 100644
--- a/clickhouse_driver/connection.py
+++ b/clickhouse_driver/connection.py
@@ -222,7 +222,8 @@ def _create_socket(self, host, port):
                 sock.settimeout(self.connect_timeout)
 
                 if self.secure_socket:
-                    sock = ssl.wrap_socket(sock, **ssl_options)
+                    ssl_context = self._create_ssl_context(ssl_options)
+                    sock = ssl_context.wrap_socket(sock, server_hostname=host)
 
                 sock.connect(sa)
                 return sock
@@ -237,6 +238,25 @@ def _create_socket(self, host, port):
         else:
             raise socket.error("getaddrinfo returns an empty list")
 
+    def _create_ssl_context(self, ssl_options):
+        purpose = ssl.Purpose.SERVER_AUTH
+
+        version = ssl_options.get('ssl_version', ssl.PROTOCOL_TLS)
+        context = ssl.SSLContext(version)
+
+        if 'ca_certs' in ssl_options:
+            context.load_verify_locations(ssl_options['ca_certs'])
+        elif ssl_options.get('cert_reqs') != ssl.CERT_NONE:
+            context.load_default_certs(purpose
+                                       )
+        if 'ciphers' in ssl_options:
+            context.set_ciphers(ssl_options['ciphers'])
+
+        if 'cert_reqs' in ssl_options:
+            context.options = ssl_options['cert_reqs']
+
+        return context
+
     def _init_connection(self, host, port):
         self.socket = self._create_socket(host, port)
         self.connected = True