Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

httplib should enable post-handshake authentication for TLS 1.3 #81621

Closed
tiran opened this issue Jun 28, 2019 · 10 comments
Closed

httplib should enable post-handshake authentication for TLS 1.3 #81621

tiran opened this issue Jun 28, 2019 · 10 comments
Assignees
Labels
3.7 only security fixes 3.8 only security fixes 3.9 only security fixes stdlib Python modules in the Lib dir topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Jun 28, 2019

BPO 37440
Nosy @tiran, @benjaminp, @ned-deily, @alex, @ambv, @dstufft, @The-Compiler, @miss-islington, @iritkatriel
PRs
  • bpo-37440: Enable TLS 1.3 post-handshake auth in http.client #14448
  • [3.8] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) #14495
  • [3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) #14496
  • Dependencies
  • bpo-37428: SSLContext.post_handshake_auth implicitly enables cert validation
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = <Date 2020-10-17.02:23:17.992>
    created_at = <Date 2019-06-28.14:29:05.866>
    labels = ['expert-SSL', 'type-bug', '3.8', '3.9', '3.7', 'library']
    title = 'httplib should enable post-handshake authentication for TLS 1.3'
    updated_at = <Date 2020-10-17.02:23:17.991>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2020-10-17.02:23:17.991>
    actor = 'benjamin.peterson'
    assignee = 'christian.heimes'
    closed = True
    closed_date = <Date 2020-10-17.02:23:17.992>
    closer = 'benjamin.peterson'
    components = ['Library (Lib)', 'SSL']
    creation = <Date 2019-06-28.14:29:05.866>
    creator = 'christian.heimes'
    dependencies = ['37428']
    files = []
    hgrepos = []
    issue_num = 37440
    keywords = ['patch']
    message_count = 10.0
    messages = ['346820', '346895', '346962', '346967', '346968', '347165', '350287', '350657', '350702', '378778']
    nosy_count = 10.0
    nosy_names = ['janssen', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'alex', 'lukasz.langa', 'dstufft', 'The Compiler', 'miss-islington', 'iritkatriel']
    pr_nums = ['14448', '14495', '14496']
    priority = 'high'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue37440'
    versions = ['Python 2.7', 'Python 3.7', 'Python 3.8', 'Python 3.9']

    @tiran
    Copy link
    Member Author

    tiran commented Jun 28, 2019

    httplib.client does not enable post-handshake authentication for TLS 1.3 connections. PHA is necessary for TLS 1.3 connections to servers that have conditional client cert authentication. For example Apache mod_ssl uses PHA when only certain paths or request methods require a client cert to authenticate a client.

    Since TLS 1.3 is enabled by default with OpenSSL 1.1.1 and TLS 1.3 is preferred over TLS 1.2, the lack of PHA extension breaks backwards compatibility.

    @tiran tiran added deferred-blocker 3.7 only security fixes 3.8 only security fixes 3.9 only security fixes labels Jun 28, 2019
    @tiran tiran self-assigned this Jun 28, 2019
    @tiran tiran added stdlib Python modules in the Lib dir topic-SSL type-bug An unexpected behavior, bug, or error labels Jun 28, 2019
    @ned-deily
    Copy link
    Member

    Blocking 3.7.4 final pending resolution

    @miss-islington
    Copy link
    Contributor

    New changeset d1bd6e7 by Miss Islington (bot) (Christian Heimes) in branch 'master':
    bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448)
    d1bd6e7

    @miss-islington
    Copy link
    Contributor

    New changeset ee72dda by Miss Islington (bot) in branch '3.8':
    [3.8] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14495)
    ee72dda

    @miss-islington
    Copy link
    Contributor

    New changeset 6be9110 by Miss Islington (bot) in branch '3.7':
    [3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496)
    6be9110

    @ned-deily
    Copy link
    Member

    New changeset f97eb88 by Ned Deily (Miss Islington (bot)) in branch '3.7':
    [3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496)
    f97eb88

    @ambv
    Copy link
    Contributor

    ambv commented Aug 23, 2019

    Should this be closed?

    @tiran
    Copy link
    Member Author

    tiran commented Aug 28, 2019

    3.7 to 3.9 are fixed.

    Benjamin, do you want the fix in 2.7?

    @benjaminp
    Copy link
    Contributor

    Yes, makes sense for 2.7, too. Thanks.

    @iritkatriel
    Copy link
    Member

    Can this be closed? 2.7 is no longer relevant.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 only security fixes 3.8 only security fixes 3.9 only security fixes stdlib Python modules in the Lib dir topic-SSL type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Development

    No branches or pull requests

    6 participants