classification
Title: httplib should enable post-handshake authentication for TLS 1.3
Type: behavior Stage: patch review
Components: Library (Lib), SSL Versions: Python 3.9, Python 3.8, Python 3.7, Python 2.7
process
Status: open Resolution:
Dependencies: 37428 Superseder:
Assigned To: christian.heimes Nosy List: The Compiler, alex, benjamin.peterson, christian.heimes, dstufft, janssen, lukasz.langa, miss-islington, ned.deily
Priority: release blocker Keywords: patch

Created on 2019-06-28 14:29 by christian.heimes, last changed 2019-07-02 22:34 by ned.deily.

Pull Requests
URL Status Linked Edit
PR 14448 merged christian.heimes, 2019-06-28 14:49
PR 14495 merged miss-islington, 2019-07-01 06:32
PR 14496 merged miss-islington, 2019-07-01 06:32
Messages (6)
msg346820 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-06-28 14:29
httplib.client does not enable post-handshake authentication for TLS 1.3 connections. PHA is necessary for TLS 1.3 connections to servers that have conditional client cert authentication. For example Apache mod_ssl uses PHA when only certain paths or request methods require a client cert to authenticate a client.

Since TLS 1.3 is enabled by default with OpenSSL 1.1.1 and TLS 1.3 is preferred over TLS 1.2, the lack of PHA extension breaks backwards compatibility.
msg346895 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-06-29 19:34
Blocking 3.7.4 final pending resolution
msg346962 - (view) Author: miss-islington (miss-islington) Date: 2019-07-01 06:32
New changeset d1bd6e79da1ee56dc1b902d804216ffd267399db by Miss Islington (bot) (Christian Heimes) in branch 'master':
bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448)
https://github.com/python/cpython/commit/d1bd6e79da1ee56dc1b902d804216ffd267399db
msg346967 - (view) Author: miss-islington (miss-islington) Date: 2019-07-01 07:07
New changeset ee72dda9616258b57c19eb5af00f3e80a3fb8e22 by Miss Islington (bot) in branch '3.8':
[3.8] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14495)
https://github.com/python/cpython/commit/ee72dda9616258b57c19eb5af00f3e80a3fb8e22
msg346968 - (view) Author: miss-islington (miss-islington) Date: 2019-07-01 07:07
New changeset 6be91102f75aa4b4b8c1e55960aa22008ff9e319 by Miss Islington (bot) in branch '3.7':
[3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496)
https://github.com/python/cpython/commit/6be91102f75aa4b4b8c1e55960aa22008ff9e319
msg347165 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-07-02 22:34
New changeset f97eb883d8a29ee9718147b3631ebd2741273d9b by Ned Deily (Miss Islington (bot)) in branch '3.7':
[3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496)
https://github.com/python/cpython/commit/f97eb883d8a29ee9718147b3631ebd2741273d9b
History
Date User Action Args
2019-07-02 22:34:03ned.deilysetmessages: + msg347165
2019-07-01 07:07:55miss-islingtonsetmessages: + msg346968
2019-07-01 07:07:49miss-islingtonsetmessages: + msg346967
2019-07-01 06:32:41miss-islingtonsetpull_requests: + pull_request14313
2019-07-01 06:32:35miss-islingtonsetpull_requests: + pull_request14311
2019-07-01 06:32:28miss-islingtonsetnosy: + miss-islington
messages: + msg346962
2019-06-30 09:53:53The Compilersetnosy: + The Compiler
2019-06-29 19:34:56ned.deilysetmessages: + msg346895
2019-06-29 19:33:34ned.deilysetpriority: deferred blocker -> release blocker
nosy: + lukasz.langa, benjamin.peterson
2019-06-28 14:49:08christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request14264
2019-06-28 14:44:25christian.heimessetdependencies: + SSLContext.post_handshake_auth implicitly enables cert validation
2019-06-28 14:29:05christian.heimescreate