Skip to content

v0.16.1 — Windows TLS Fix for Tesla Auth

Latest

Choose a tag to compare

@jasonacox-sam jasonacox-sam released this 12 Jul 21:44

Windows TLS Fix for Tesla Auth

Fixes the 403 Forbidden error Windows users hit when trying to authenticate with Tesla — the Windows OpenSSL TLS 1.3 fingerprint was being rejected during the PKCE code exchange, silently producing "tainted" tokens that failed every owner-api.teslamotors.com call.

Changes

  • fix(windows): cap TLS to 1.2 on Windows in tesla_auth.py, teslapy/__init__.py, and v1r_register.py — Linux/macOS retain TLS 1.3 pinning
    • Windows Python bundles an OpenSSL build whose TLS 1.3 ClientHello fingerprint is rejected by Tesla during PKCE code exchange and token refresh
    • _httpx_auth_verify() now caps maximum_version to TLS 1.2 on Windows (sys.platform == 'win32')
    • TLS 1.2 fully supports HTTP/2, so ALPN negotiation and h2 framing are unaffected
  • fix(register): api_call() in v1r_register.py now uses httpx with HTTP/2 for Tesla API endpoints (was urllib/HTTP/1.1) — Tesla now requires HTTP/2 for owner-api.teslamotors.com/api/1/* calls (June 2026); falls back to urllib for non-Tesla URLs or if httpx is not installed
  • docs(windows): README updated with Windows setup troubleshooting — native Windows TLS, WSL2 WebKitGTK limitation, and alternatives (tesla_auth app, full Linux VM, remote authtoken)
  • diagnostics: cloudcheck now reports platform-aware TLS behaviour on Windows

Details

This is the same class of TLS fingerprint issue fixed for Alpine/musl libc Docker images in #345 — but specific to native Windows Python. The tokens arrive "tainted": they work for auth.tesla.com but return 403 Forbidden on every Owner API call. Capping to TLS 1.2 on Windows avoids the rejected fingerprint.

Thanks to @AndrewTapp for the detailed cloudcheck -debug report in #350 that made this diagnosable. 🙏

Links