Windows TLS Fix for Tesla Auth
Fixes the 403 Forbidden error Windows users hit when trying to authenticate with Tesla — the Windows OpenSSL TLS 1.3 fingerprint was being rejected during the PKCE code exchange, silently producing "tainted" tokens that failed every owner-api.teslamotors.com call.
Changes
- fix(windows): cap TLS to 1.2 on Windows in
tesla_auth.py,teslapy/__init__.py, andv1r_register.py— Linux/macOS retain TLS 1.3 pinning- Windows Python bundles an OpenSSL build whose TLS 1.3 ClientHello fingerprint is rejected by Tesla during PKCE code exchange and token refresh
_httpx_auth_verify()now capsmaximum_versionto TLS 1.2 on Windows (sys.platform == 'win32')- TLS 1.2 fully supports HTTP/2, so ALPN negotiation and h2 framing are unaffected
- fix(register):
api_call()inv1r_register.pynow uses httpx with HTTP/2 for Tesla API endpoints (was urllib/HTTP/1.1) — Tesla now requires HTTP/2 forowner-api.teslamotors.com/api/1/*calls (June 2026); falls back to urllib for non-Tesla URLs or if httpx is not installed - docs(windows): README updated with Windows setup troubleshooting — native Windows TLS, WSL2 WebKitGTK limitation, and alternatives (tesla_auth app, full Linux VM, remote authtoken)
- diagnostics:
cloudchecknow reports platform-aware TLS behaviour on Windows
Details
This is the same class of TLS fingerprint issue fixed for Alpine/musl libc Docker images in #345 — but specific to native Windows Python. The tokens arrive "tainted": they work for auth.tesla.com but return 403 Forbidden on every Owner API call. Capping to TLS 1.2 on Windows avoids the rejected fingerprint.
Thanks to @AndrewTapp for the detailed cloudcheck -debug report in #350 that made this diagnosable. 🙏
Links
- PyPI: https://pypi.org/project/pypowerwall/0.16.1/
- Proxy image:
jasonacox/pypowerwall:0.16.1t95