diff options
author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2019-07-01 00:07:52 -0700 |
---|---|---|
committer | Ned Deily <nad@python.org> | 2019-07-01 22:29:17 -0400 |
commit | f97eb883d8a29ee9718147b3631ebd2741273d9b (patch) | |
tree | 5f7fe2857cfc2380c298dfb54e1b83a79c9464d4 | |
parent | 5b45fb0a449543fab6e7b606e51b739cb316d3c4 (diff) | |
download | cpython-git-f97eb883d8a29ee9718147b3631ebd2741273d9b.tar.gz |
[3.7] bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448) (GH-14496)
Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.
https://bugs.python.org/issue37440
(cherry picked from commit d1bd6e79da1ee56dc1b902d804216ffd267399db)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37440
-rw-r--r-- | Doc/library/http.client.rst | 5 | ||||
-rw-r--r-- | Lib/http/client.py | 7 | ||||
-rw-r--r-- | Lib/test/test_httplib.py | 18 | ||||
-rw-r--r-- | Misc/NEWS.d/next/Library/2019-06-28-16-40-17.bpo-37440.t3wX-N.rst | 2 |
4 files changed, 32 insertions, 0 deletions
diff --git a/Doc/library/http.client.rst b/Doc/library/http.client.rst index 3408c103e2..3ebeb10aee 100644 --- a/Doc/library/http.client.rst +++ b/Doc/library/http.client.rst @@ -94,6 +94,11 @@ The module provides the following classes: :func:`ssl._create_unverified_context` can be passed to the *context* parameter. + .. versionchanged:: 3.7.4 + This class now enables TLS 1.3 + :attr:`ssl.SSLContext.post_handshake_auth` for the default *context* or + when *cert_file* is passed with a custom *context*. + .. deprecated:: 3.6 *key_file* and *cert_file* are deprecated in favor of *context*. diff --git a/Lib/http/client.py b/Lib/http/client.py index 2afd452fe3..dd23edcd59 100644 --- a/Lib/http/client.py +++ b/Lib/http/client.py @@ -1381,6 +1381,9 @@ else: self.cert_file = cert_file if context is None: context = ssl._create_default_https_context() + # enable PHA for TLS 1.3 connections if available + if context.post_handshake_auth is not None: + context.post_handshake_auth = True will_verify = context.verify_mode != ssl.CERT_NONE if check_hostname is None: check_hostname = context.check_hostname @@ -1389,6 +1392,10 @@ else: "either CERT_OPTIONAL or CERT_REQUIRED") if key_file or cert_file: context.load_cert_chain(cert_file, key_file) + # cert and key file means the user wants to authenticate. + # enable TLS 1.3 PHA implicitly even for custom contexts. + if context.post_handshake_auth is not None: + context.post_handshake_auth = True self._context = context if check_hostname is not None: self._context.check_hostname = check_hostname diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index 49263a8a3a..c424667158 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -1748,6 +1748,24 @@ class HTTPSTest(TestCase): self.assertEqual(h, c.host) self.assertEqual(p, c.port) + def test_tls13_pha(self): + import ssl + if not ssl.HAS_TLSv1_3: + self.skipTest('TLS 1.3 support required') + # just check status of PHA flag + h = client.HTTPSConnection('localhost', 443) + self.assertTrue(h._context.post_handshake_auth) + + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + self.assertFalse(context.post_handshake_auth) + h = client.HTTPSConnection('localhost', 443, context=context) + self.assertIs(h._context, context) + self.assertFalse(h._context.post_handshake_auth) + + h = client.HTTPSConnection('localhost', 443, context=context, + cert_file=CERT_localhost) + self.assertTrue(h._context.post_handshake_auth) + class RequestBodyTest(TestCase): """Test cases where a request includes a message body.""" diff --git a/Misc/NEWS.d/next/Library/2019-06-28-16-40-17.bpo-37440.t3wX-N.rst b/Misc/NEWS.d/next/Library/2019-06-28-16-40-17.bpo-37440.t3wX-N.rst new file mode 100644 index 0000000000..b336e061e1 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2019-06-28-16-40-17.bpo-37440.t3wX-N.rst @@ -0,0 +1,2 @@ +http.client now enables TLS 1.3 post-handshake authentication for default +context or if a cert_file is passed to HTTPSConnection. |