httplib should enable post-handshake authentication for TLS 1.3

[tiran]

BPO	37440
Nosy	@tiran, @benjaminp, @ned-deily, @alex, @ambv, @dstufft, @The-Compiler, @miss-islington, @iritkatriel
PRs	bpo-37440: Enable TLS 1.3 post-handshake auth in http.client #14448 [3.8] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) #14495 [3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) #14496
Dependencies	bpo-37428: SSLContext.post_handshake_auth implicitly enables cert validation

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2020-10-17.02:23:17.992>
created_at = <Date 2019-06-28.14:29:05.866>
labels = ['expert-SSL', 'type-bug', '3.8', '3.9', '3.7', 'library']
title = 'httplib should enable post-handshake authentication for TLS 1.3'
updated_at = <Date 2020-10-17.02:23:17.991>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2020-10-17.02:23:17.991>
actor = 'benjamin.peterson'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2020-10-17.02:23:17.992>
closer = 'benjamin.peterson'
components = ['Library (Lib)', 'SSL']
creation = <Date 2019-06-28.14:29:05.866>
creator = 'christian.heimes'
dependencies = ['37428']
files = []
hgrepos = []
issue_num = 37440
keywords = ['patch']
message_count = 10.0
messages = ['346820', '346895', '346962', '346967', '346968', '347165', '350287', '350657', '350702', '378778']
nosy_count = 10.0
nosy_names = ['janssen', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'alex', 'lukasz.langa', 'dstufft', 'The Compiler', 'miss-islington', 'iritkatriel']
pr_nums = ['14448', '14495', '14496']
priority = 'high'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue37440'
versions = ['Python 2.7', 'Python 3.7', 'Python 3.8', 'Python 3.9']

[tiran]

httplib.client does not enable post-handshake authentication for TLS 1.3 connections. PHA is necessary for TLS 1.3 connections to servers that have conditional client cert authentication. For example Apache mod_ssl uses PHA when only certain paths or request methods require a client cert to authenticate a client.

Since TLS 1.3 is enabled by default with OpenSSL 1.1.1 and TLS 1.3 is preferred over TLS 1.2, the lack of PHA extension breaks backwards compatibility.

[ned-deily]

Blocking 3.7.4 final pending resolution

[miss-islington]

New changeset d1bd6e7 by Miss Islington (bot) (Christian Heimes) in branch 'master':
bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448)
d1bd6e7

[miss-islington]

New changeset ee72dda by Miss Islington (bot) in branch '3.8':
[3.8] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14495)
ee72dda

[miss-islington]

New changeset 6be9110 by Miss Islington (bot) in branch '3.7':
[3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496)
6be9110

[ned-deily]

New changeset f97eb88 by Ned Deily (Miss Islington (bot)) in branch '3.7':
[3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496)
f97eb88

[ambv]

Should this be closed?

[tiran]

3.7 to 3.9 are fixed.

Benjamin, do you want the fix in 2.7?

[benjaminp]

Yes, makes sense for 2.7, too. Thanks.

[iritkatriel]

Can this be closed? 2.7 is no longer relevant.