Comment 3 for bug 1089352

Sorry the delay.

I've reproduced the issue against https://bzr.debian.org:

Actual code get the following cert:

{'OCSP': (u'http://ocsp.usertrust.com',),
 'caIssuers': (u'http://crt.usertrust.com/GandiStandardSSLCA2.crt',),
 'crlDistributionPoints': (u'http://crl.usertrust.com/GandiStandardSSLCA2.crl',),
 'issuer': ((('countryName', u'FR'),),
            (('stateOrProvinceName', u'Paris'),),
            (('localityName', u'Paris'),),
            (('organizationName', u'Gandi'),),
            (('commonName', u'Gandi Standard SSL CA 2'),)),
 'notAfter': 'Apr 26 23:59:59 2018 GMT',
 'notBefore': u'Apr 14 00:00:00 2016 GMT',
 'serialNumber': u'4EA82D0B8C8B42D1BFC1061DC9720982',
 'subject': ((('organizationalUnitName', u'Domain Control Validated'),),
             (('organizationalUnitName', u'Gandi Standard Wildcard SSL'),),
             (('commonName', u'*.alioth.debian.org'),)),
 'subjectAltName': (('DNS', '*.alioth.debian.org'),
                    ('DNS', 'alioth.debian.org')),
 'version': 3L}

whereas with SNI it gets the proper:

{'OCSP': (u'http://ocsp.int-x3.letsencrypt.org/',),
 'caIssuers': (u'http://cert.int-x3.letsencrypt.org/',),
 'issuer': ((('countryName', u'US'),),
            (('organizationName', u"Let's Encrypt"),),
            (('commonName', u"Let's Encrypt Authority X3"),)),
 'notAfter': 'Mar 27 11:49:00 2017 GMT',
 'notBefore': u'Dec 27 11:49:00 2016 GMT',
 'serialNumber': u'03667BE3EB8574E879B8D448575FF5DA86B6',
 'subject': ((('commonName', u'git.debian.org'),),),
 'subjectAltName': (('DNS', 'anonscm.debian.org'),
                    ('DNS', 'arch.debian.org'),
                    ('DNS', 'bzr.debian.org'),
                    ('DNS', 'cvs.debian.org'),
                    ('DNS', 'darcs.debian.org'),
                    ('DNS', 'git.debian.org'),
                    ('DNS', 'hg.debian.org'),
                    ('DNS', 'svn.debian.org')),
 'version': 3L}

I'll have a fix shortly.