Message 346725 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes
Date	2019-06-27.10:33:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1561631609.42.0.922673247425.issue37428@roundup.psfhosted.org>
In-reply-to

Content
Enabling TLS 1.3 post handshake auth also enables cert chain validation. OpenSSL documents SSL_VERIFY_POST_HANDSHAKE as ignored for client side. However tls_process_server_certificate in the client state machine code does not ignore the flag and checks for a correct cert chain. see https://github.com/openssl/openssl/issues/9259 and https://github.com/openssl/openssl/blob/743694a6c29e5a6387819523fad5e3b7e613f1ee/ssl/statem/statem_clnt.c#L1899-L1918

Enabling TLS 1.3 post handshake auth also enables cert chain validation. OpenSSL documents SSL_VERIFY_POST_HANDSHAKE as ignored for client side. However tls_process_server_certificate in the client state machine code does not ignore the flag and checks for a correct cert chain.

see https://github.com/openssl/openssl/issues/9259 and https://github.com/openssl/openssl/blob/743694a6c29e5a6387819523fad5e3b7e613f1ee/ssl/statem/statem_clnt.c#L1899-L1918

History
Date	User	Action	Args
2019-06-27 10:33:29	christian.heimes	set	recipients: + christian.heimes
2019-06-27 10:33:29	christian.heimes	set	messageid: <1561631609.42.0.922673247425.issue37428@roundup.psfhosted.org>
2019-06-27 10:33:29	christian.heimes	link	issue37428 messages
2019-06-27 10:33:29	christian.heimes	create