[3.7] bpo-37428: Don't set PHA verify flag on client side (GH-14421) (GH-14493)

SSLContext.post_handshake_auth = True no longer sets SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the option is documented as ignored for clients, OpenSSL implicitly enables cert chain validation when the flag is set. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue37428 (cherry picked from commit f0f5930ac88482ef896283db5be9b8d508d077db) Co-authored-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue37428
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2019-06-30 23:51:40 -0700
committer: Ned Deily <nad@python.org> 2019-07-01 22:27:58 -0400
commit: 5b45fb0a449543fab6e7b606e51b739cb316d3c4 (patch)
tree: faddc0122ba3e2179cd945341d49e6d341be67f8 /Misc
parent: 3e24dd52bba863fce4f3c6a34ca9f813666ed181 (diff)
download: cpython-git-5b45fb0a449543fab6e7b606e51b739cb316d3c4.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Library/2019-06-27-13-27-02.bpo-37428._wcwUd.rst b/Misc/NEWS.d/next/Library/2019-06-27-13-27-02.bpo-37428._wcwUd.rst
new file mode 100644
index 0000000000..2cdce6b24d
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-06-27-13-27-02.bpo-37428._wcwUd.rst
@@ -0,0 +1,4 @@
+SSLContext.post_handshake_auth = True no longer sets
+SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
+option is documented as ignored for clients, OpenSSL implicitly enables cert
+chain validation when the flag is set.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2019-06-30 23:51:40 -0700
committer	Ned Deily <nad@python.org>	2019-07-01 22:27:58 -0400
commit	5b45fb0a449543fab6e7b606e51b739cb316d3c4 (patch)
tree	faddc0122ba3e2179cd945341d49e6d341be67f8 /Misc
parent	3e24dd52bba863fce4f3c6a34ca9f813666ed181 (diff)
download	cpython-git-5b45fb0a449543fab6e7b606e51b739cb316d3c4.tar.gz