Document the security extra for SNI support with legacy Python

docs/user/advanced.rst

@@ -269,6 +269,27 @@ If you specify a wrong path or an invalid cert, you'll get a SSLError::
 .. warning:: The private key to your local certificate *must* be unencrypted.
    Currently, Requests does not support using encrypted keys.
 
+.. _sni-support:
+
+SSL support with old Python versions
+------------------------------------
+
+It's possible to enable OpenSSL support & `Server Name Indication (SNI)`_ for old Python
+versions (older than 2.7.9 & 3.4.3) by installing a few optional dependencies
+using the ``security`` extra::
+
+    $ pipenv install requests[security]
+
+This will install PyOpenSSL, its dependencies and setup `urllib3 certificate validation`_
+automatically when Requests is imported.
+
+However, it is not required if you're using a recent version of Python with `PEP 476`_.
+This is included from Python 2.7.9 and 3.4.3.
+
+.. _`Server Name Indication (SNI)`: https://en.wikipedia.org/wiki/Server_Name_Indication
+.. _`urllib3 certificate validation`: https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification-in-python-2
+.. _`PEP 476`: https://www.python.org/dev/peps/pep-0476/
+
 .. _ca-certificates:
 
 CA Certificates