Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-37440: Enable TLS 1.3 post-handshake auth in http.client #14448

Merged
merged 1 commit into from
Jul 1, 2019
Merged

bpo-37440: Enable TLS 1.3 post-handshake auth in http.client #14448

merged 1 commit into from
Jul 1, 2019

Conversation

tiran
Copy link
Member

@tiran tiran commented Jun 28, 2019
edited
Loading

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.

https://bugs.python.org/issue37440

@tiran
bpo-37440: Enable TLS 1.3 PHA in http.client
60a5e1d 
Post-handshake authentication is required for conditional client cert
authentication with TLS 1.3.

Signed-off-by: Christian Heimes <christian@python.org>
@tiran tiran added type-bug An unexpected behavior, bug, or error needs backport to 2.7 needs backport to 3.8 only security fixes labels Jun 28, 2019
@tiran tiran requested review from merwok and briancurtin June 28, 2019 15:19
@ned-deily
Copy link
Member

Anything we can do to expedite this? It's currently blocking 3.7.4 final and could shortly block 3.8.0 b2. @alex, would you be able to review this? Thanks!

@alex
Copy link
Member

alex commented Jun 29, 2019

I don't think I understand this well enough to really review it -- why don't we always set post_handshake_auth when using TLS 1.3 and client certs?

@tiran
Copy link
Member Author

tiran commented Jun 30, 2019

@alex OpenSSL disables PHA by default because clients must be able to handle it. An application protocol must deal with fact that there is an additional TCP roundtrip involved.

@orsenthil
Copy link
Member

Hi @tiran - I reviewed after understanding the relevant context here:

Especially this part for SSLContext.post_handshake_auth

>    .. note::
      Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3
      support, the property value is None and can't be modified
  • The changes look good to me, and tests are helpful to understand the change.
  • The review discussion with Alex was helpful to understand why the value is not to True by default.

I am giving my approval, but if you desire additional review+approval, please do seek out to other core-devs.

Thanks!

@miss-islington
Copy link
Contributor

Sorry, I can't merge this PR. Reason: Base branch was modified. Review and try the merge again..

@miss-islington miss-islington merged commit d1bd6e7 into python:master Jul 1, 2019
@miss-islington
Copy link
Contributor

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.7, 3.8.
🐍🍒⛏🤖

@bedevere-bot
Copy link

GH-14495 is a backport of this pull request to the 3.8 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.8 only security fixes label Jul 1, 2019
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 1, 2019
@tiran @miss-islington
bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (pythonG…
f1c73a0 
…H-14448)

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.

https://bugs.python.org/issue37440
(cherry picked from commit d1bd6e7)

Co-authored-by: Christian Heimes <christian@python.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 1, 2019
@tiran @miss-islington
bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (pythonG…
f8edebd 
…H-14448)

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.

https://bugs.python.org/issue37440
(cherry picked from commit d1bd6e7)

Co-authored-by: Christian Heimes <christian@python.org>
@bedevere-bot
Copy link

GH-14496 is a backport of this pull request to the 3.7 branch.

@miss-islington
Copy link
Contributor

Sorry, @tiran, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker d1bd6e79da1ee56dc1b902d804216ffd267399db 2.7

@miss-islington miss-islington self-assigned this Jul 1, 2019
miss-islington added a commit that referenced this pull request Jul 1, 2019
@miss-islington
[3.8] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (G…
ee72dda 
…H-14448) (GH-14495)

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.


https://bugs.python.org/issue37440
(cherry picked from commit d1bd6e7)


Co-authored-by: Christian Heimes <christian@python.org>


https://bugs.python.org/issue37440
miss-islington added a commit that referenced this pull request Jul 1, 2019
@miss-islington
[3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (G…
6be9110 
…H-14448) (GH-14496)

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.


https://bugs.python.org/issue37440
(cherry picked from commit d1bd6e7)


Co-authored-by: Christian Heimes <christian@python.org>


https://bugs.python.org/issue37440
@tiran tiran deleted the bpo-37440-httplib-pha branch July 1, 2019 07:09
ned-deily pushed a commit to ned-deily/cpython that referenced this pull request Jul 2, 2019
@miss-islington @ned-deily
[3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (p…
f97eb88 
…ythonGH-14448) (pythonGH-14496)

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.


https://bugs.python.org/issue37440
(cherry picked from commit d1bd6e7)


Co-authored-by: Christian Heimes <christian@python.org>


https://bugs.python.org/issue37440
lisroach pushed a commit to lisroach/cpython that referenced this pull request Sep 10, 2019
@tiran @lisroach
bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (pythonG…
68376cd 
…H-14448)

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.


https://bugs.python.org/issue37440
DinoV pushed a commit to DinoV/cpython that referenced this pull request Jan 14, 2020
@tiran @DinoV
bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (pythonG…
6cfeff3 
…H-14448)

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.


https://bugs.python.org/issue37440
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orsenthil orsenthil orsenthil approved these changes

@merwok merwok Awaiting requested review from merwok

@briancurtin briancurtin Awaiting requested review from briancurtin

Assignees

@miss-islington miss-islington

Labels
type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@tiran @ned-deily @alex @orsenthil @miss-islington @bedevere-bot @the-knights-who-say-ni