Issue 37440: httplib should enable post-handshake authentication for TLS 1.3

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/81621

classification

Title:	httplib should enable post-handshake authentication for TLS 1.3
Type:	behavior	Stage:	resolved
Components:	Library (Lib), SSL	Versions:	Python 3.9, Python 3.8, Python 3.7, Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:	37428	Superseder:
Assigned To:	christian.heimes	Nosy List:	The Compiler, alex, benjamin.peterson, christian.heimes, dstufft, iritkatriel, janssen, lukasz.langa, miss-islington, ned.deily
Priority:	high	Keywords:	patch

Created on 2019-06-28 14:29 by christian.heimes, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 14448	merged	christian.heimes, 2019-06-28 14:49
PR 14495	merged	miss-islington, 2019-07-01 06:32
PR 14496	merged	miss-islington, 2019-07-01 06:32

Messages (10)
msg346820 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2019-06-28 14:29
httplib.client does not enable post-handshake authentication for TLS 1.3 connections. PHA is necessary for TLS 1.3 connections to servers that have conditional client cert authentication. For example Apache mod_ssl uses PHA when only certain paths or request methods require a client cert to authenticate a client. Since TLS 1.3 is enabled by default with OpenSSL 1.1.1 and TLS 1.3 is preferred over TLS 1.2, the lack of PHA extension breaks backwards compatibility.
msg346895 - (view)	Author: Ned Deily (ned.deily) *	Date: 2019-06-29 19:34
Blocking 3.7.4 final pending resolution
msg346962 - (view)	Author: miss-islington (miss-islington)	Date: 2019-07-01 06:32
New changeset d1bd6e79da1ee56dc1b902d804216ffd267399db by Miss Islington (bot) (Christian Heimes) in branch 'master': bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) https://github.com/python/cpython/commit/d1bd6e79da1ee56dc1b902d804216ffd267399db
msg346967 - (view)	Author: miss-islington (miss-islington)	Date: 2019-07-01 07:07
New changeset ee72dda9616258b57c19eb5af00f3e80a3fb8e22 by Miss Islington (bot) in branch '3.8': [3.8] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14495) https://github.com/python/cpython/commit/ee72dda9616258b57c19eb5af00f3e80a3fb8e22
msg346968 - (view)	Author: miss-islington (miss-islington)	Date: 2019-07-01 07:07
New changeset 6be91102f75aa4b4b8c1e55960aa22008ff9e319 by Miss Islington (bot) in branch '3.7': [3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496) https://github.com/python/cpython/commit/6be91102f75aa4b4b8c1e55960aa22008ff9e319
msg347165 - (view)	Author: Ned Deily (ned.deily) *	Date: 2019-07-02 22:34
New changeset f97eb883d8a29ee9718147b3631ebd2741273d9b by Ned Deily (Miss Islington (bot)) in branch '3.7': [3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496) https://github.com/python/cpython/commit/f97eb883d8a29ee9718147b3631ebd2741273d9b
msg350287 - (view)	Author: Łukasz Langa (lukasz.langa) *	Date: 2019-08-23 14:03
Should this be closed?
msg350657 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2019-08-28 05:21
3.7 to 3.9 are fixed. Benjamin, do you want the fix in 2.7?
msg350702 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2019-08-29 02:03
Yes, makes sense for 2.7, too. Thanks.
msg378778 - (view)	Author: Irit Katriel (iritkatriel) *	Date: 2020-10-16 22:49
Can this be closed? 2.7 is no longer relevant.

History
Date	User	Action	Args
2022-04-11 14:59:17	admin	set	github: 81621
2020-10-17 02:23:17	benjamin.peterson	set	status: open -> closed resolution: fixed stage: patch review -> resolved
2020-10-16 22:49:54	iritkatriel	set	nosy: + iritkatriel messages: + msg378778
2019-08-29 02:03:54	benjamin.peterson	set	messages: + msg350702
2019-08-28 05:21:29	christian.heimes	set	priority: release blocker -> high messages: + msg350657
2019-08-23 14:03:06	lukasz.langa	set	messages: + msg350287
2019-07-02 22:34:03	ned.deily	set	messages: + msg347165
2019-07-01 07:07:55	miss-islington	set	messages: + msg346968
2019-07-01 07:07:49	miss-islington	set	messages: + msg346967
2019-07-01 06:32:41	miss-islington	set	pull_requests: + pull_request14313
2019-07-01 06:32:35	miss-islington	set	pull_requests: + pull_request14311
2019-07-01 06:32:28	miss-islington	set	nosy: + miss-islington messages: + msg346962
2019-06-30 09:53:53	The Compiler	set	nosy: + The Compiler
2019-06-29 19:34:56	ned.deily	set	messages: + msg346895
2019-06-29 19:33:34	ned.deily	set	priority: deferred blocker -> release blocker nosy: + lukasz.langa, benjamin.peterson
2019-06-28 14:49:08	christian.heimes	set	keywords: + patch stage: patch review pull_requests: + pull_request14264
2019-06-28 14:44:25	christian.heimes	set	dependencies: + SSLContext.post_handshake_auth implicitly enables cert validation
2019-06-28 14:29:05	christian.heimes	create