➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-06-27 10:33 by christian.heimes, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 14421 | merged | christian.heimes, 2019-06-27 11:31 | |
| PR 14493 | merged | miss-islington, 2019-07-01 06:29 | |
| PR 14494 | merged | christian.heimes, 2019-07-01 06:31 | |
| Messages (14) | |||
|---|---|---|---|
| msg346725 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2019-06-27 10:33 | |
Enabling TLS 1.3 post handshake auth also enables cert chain validation. OpenSSL documents SSL_VERIFY_POST_HANDSHAKE as ignored for client side. However tls_process_server_certificate in the client state machine code does not ignore the flag and checks for a correct cert chain. see https://github.com/openssl/openssl/issues/9259 and https://github.com/openssl/openssl/blob/743694a6c29e5a6387819523fad5e3b7e613f1ee/ssl/statem/statem_clnt.c#L1899-L1918 |
|||
| msg346787 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2019-06-27 23:33 | |
Christian, just confirming that, since you have not set this as a "release blocker", 3.7.4 will go out without it. |
|||
| msg346818 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-06-28 13:59 | |
This issue breaks some stuff at work. I would appreciate if we can get the fix into 3.7.4. I wasn't aware that we are so close to cut-off to 3.7.4 release. What does the fix do? I moved all PHA related flags / options from SSL_CTX* to SSL*. The flags and options now depend on the socket type and existing flags. For a server-side socket, the SSL_VERIFY_POST_HANDSHAKE verify flag is now only set when the server socket is configured to verify client certs. Server sockets without SSL_VERIFY_PEER flag don't set the option. The presence of SSL_VERIFY_POST_HANDSHAKE without SSL_VERIFY_PEER sometimes triggers handshake errors like "extension not received". The official documentation says "This flag must be used together with SSL_VERIFY_PEER.". The ssl.CERT_OPTIONAL and ssl.CERT_REQURED both set SSL_VERIFY_PEER. SSL_set_post_handshake_auth() is not enabled for server-side sockets. For client side sockets, PHA is only enabled with SSL_set_post_handshake_auth(ssl, 1). The SSL_VERIFY_POST_HANDSHAKE flag is no longer set. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html |
|||
| msg346819 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2019-06-28 14:16 | |
"Assuming no critical problems are found prior to 2019-06-28, no code changes are planned between these release candidates and the final releases." We were planning to start producing the final release artifacts in a couple of hours so we need to make a decision very quickly. If you think this is necessary, we can delay the release a bit. In the worst case, we could do a second release candidate but I *really* do not want to do that unless it is absolutely necessary. Also note that with 3.7.4, we have updated the Windows and macOS installers to use OpenSSL 1.1.1 (c) instead of 1.1.0. |
|||
| msg346824 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-06-28 14:58 | |
There are currently two issues with TLS 1.3 in Python. The issue https://bugs.python.org/issue37440 can be worked around easily with a custom SSLContext. This issue is a bigger problem because there is no possible workaround. The bug is going to break applications that verify clients with a certificate but accept untrusted server certificates. It's not a common scenario, but I just happen to run into this issue for a project at work. I'm sorry for the mess. :( I noticed the bug a couple of days ago. It took me a while to understand the root cause. |
|||
| msg346880 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2019-06-29 12:59 | |
Christian, do you have an estimate for when these issues will be resolved? We are holding 3.7.4 right now. |
|||
| msg346960 - (view) | Author: miss-islington (miss-islington) | Date: 2019-07-01 06:29 | |
New changeset f0f5930ac88482ef896283db5be9b8d508d077db by Miss Islington (bot) (Christian Heimes) in branch 'master': bpo-37428: Don't set PHA verify flag on client side (GH-14421) https://github.com/python/cpython/commit/f0f5930ac88482ef896283db5be9b8d508d077db |
|||
| msg346965 - (view) | Author: miss-islington (miss-islington) | Date: 2019-07-01 06:51 | |
New changeset cf7617460a920dd75ced017792045d3ae77648ad by Miss Islington (bot) in branch '3.7': [3.7] bpo-37428: Don't set PHA verify flag on client side (GH-14421) (GH-14493) https://github.com/python/cpython/commit/cf7617460a920dd75ced017792045d3ae77648ad |
|||
| msg346971 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-07-01 07:25 | |
New changeset f22c4cf11d10f52faa86e0b308dd28f11819efd8 by Christian Heimes in branch '3.8': [3.8] bpo-37428: Don't set PHA verify flag on client side (GH-14494) https://github.com/python/cpython/commit/f22c4cf11d10f52faa86e0b308dd28f11819efd8 |
|||
| msg347158 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2019-07-02 22:34 | |
New changeset 5b45fb0a449543fab6e7b606e51b739cb316d3c4 by Ned Deily (Miss Islington (bot)) in branch '3.7': [3.7] bpo-37428: Don't set PHA verify flag on client side (GH-14421) (GH-14493) https://github.com/python/cpython/commit/5b45fb0a449543fab6e7b606e51b739cb316d3c4 |
|||
| msg350286 - (view) | Author: Łukasz Langa (lukasz.langa) * |
Date: 2019-08-23 14:02 | |
Should this be closed? |
|||
| msg350656 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-08-28 05:21 | |
3.7 to 3.9 are fixed. Benjamin, do you want the fix in 2.7? |
|||
| msg350701 - (view) | Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2019-08-29 02:01 | |
Yes, please. |
|||
| msg378777 - (view) | Author: Irit Katriel (iritkatriel) * |
Date: 2020-10-16 22:48 | |
Can this be closed? 2.7 is no longer relevant. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:17 | admin | set | github: 81609 |
| 2020-10-17 02:23:07 | benjamin.peterson | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2020-10-16 22:48:30 | iritkatriel | set | nosy:
+ iritkatriel messages: + msg378777 |
| 2019-08-29 02:01:31 | benjamin.peterson | set | messages: + msg350701 |
| 2019-08-28 05:21:17 | christian.heimes | set | priority: release blocker -> high messages: + msg350656 |
| 2019-08-23 14:02:52 | lukasz.langa | set | messages: + msg350286 |
| 2019-07-02 22:34:02 | ned.deily | set | messages: + msg347158 |
| 2019-07-01 07:25:53 | christian.heimes | set | messages: + msg346971 |
| 2019-07-01 06:51:43 | miss-islington | set | messages: + msg346965 |
| 2019-07-01 06:31:15 | christian.heimes | set | pull_requests: + pull_request14310 |
| 2019-07-01 06:29:31 | miss-islington | set | pull_requests: + pull_request14309 |
| 2019-07-01 06:29:21 | miss-islington | set | nosy:
+ miss-islington messages: + msg346960 |
| 2019-06-30 09:53:47 | The Compiler | set | nosy:
+ The Compiler |
| 2019-06-29 12:59:02 | ned.deily | set | priority: deferred blocker -> release blocker nosy: + benjamin.peterson, lukasz.langa messages: + msg346880 |
| 2019-06-28 14:58:40 | christian.heimes | set | messages: + msg346824 |
| 2019-06-28 14:44:25 | christian.heimes | link | issue37440 dependencies |
| 2019-06-28 14:16:50 | ned.deily | set | messages: + msg346819 |
| 2019-06-28 13:59:05 | christian.heimes | set | priority: high -> deferred blocker nosy: + alex messages: + msg346818 |
| 2019-06-27 23:33:28 | ned.deily | set | nosy:
+ ned.deily messages: + msg346787 |
| 2019-06-27 11:31:45 | christian.heimes | set | keywords:
+ patch stage: patch review pull_requests: + pull_request14237 |
| 2019-06-27 10:33:29 | christian.heimes | create | |