mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-25 03:04:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

gh-128035: Add ssl.HAS_PHA to detect libssl PHA support (GH-128036)

Browse source 
* Add ssl.HAS_PHA to detect libssl Post-Handshake-Auth support

Co-authored-by: Tomas R. <tomas.roun8@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
This commit is contained in:
Will Childs-Klein 2024-12-24 12:29:27 -06:00 committed by GitHub
parent 7985d460c7
commit 418114c139
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 26 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Doc/library/ssl.rst
View file

@ -934,6 +934,12 @@ Constants
.. versionadded:: 3.13 .. versionadded:: 3.13
.. data:: HAS_PHA
Whether the OpenSSL library has built-in support for TLS-PHA.
.. versionadded:: next
.. data:: CHANNEL_BINDING_TYPES .. data:: CHANNEL_BINDING_TYPES
List of supported TLS channel binding types. Strings in this list List of supported TLS channel binding types. Strings in this list

8
Doc/whatsnew/3.14.rst
View file

@ -584,6 +584,14 @@ pydoc
(Contributed by Jelle Zijlstra in :gh:`101552`.) (Contributed by Jelle Zijlstra in :gh:`101552`.)
ssl
---
* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports
TLSv1.3 post-handshake client authentication (PHA).
(Contributed by Will Childs-Klein in :gh:`128036`.)
symtable symtable
-------- --------

2
Lib/ssl.py
View file

@ -116,7 +116,7 @@ except ImportError:
from _ssl import ( from _ssl import (
HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1, HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA
) )
from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION

4
Lib/test/test_httplib.py
View file

@ -2073,8 +2073,8 @@ class HTTPSTest(TestCase):
def test_tls13_pha(self): def test_tls13_pha(self):
import ssl import ssl
if not ssl.HAS_TLSv1_3: if not ssl.HAS_TLSv1_3 or not ssl.HAS_PHA:
self.skipTest('TLS 1.3 support required') self.skipTest('TLS 1.3 PHA support required')
# just check status of PHA flag # just check status of PHA flag
h = client.HTTPSConnection('localhost', 443) h = client.HTTPSConnection('localhost', 443)
self.assertTrue(h._context.post_handshake_auth) self.assertTrue(h._context.post_handshake_auth)

3
Lib/test/test_ssl.py
View file

@ -4494,7 +4494,8 @@ class ThreadedTests(unittest.TestCase):
s.connect((HOST, server.port)) s.connect((HOST, server.port))
@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3") @unittest.skipUnless(has_tls_version('TLSv1_3') and ssl.HAS_PHA,
"Test needs TLS 1.3 PHA")
class TestPostHandshakeAuth(unittest.TestCase): class TestPostHandshakeAuth(unittest.TestCase):
def test_pha_setter(self): def test_pha_setter(self):
protocols = [ protocols = [

1
Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst Normal file
View file

@ -0,0 +1 @@
Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 post-handshake client authentication (PHA). Patch by Will Childs-Klein.

6
Modules/_ssl.c
View file

@ -6553,6 +6553,12 @@ sslmodule_init_constants(PyObject *m)
addbool(m, "HAS_PSK", 1); addbool(m, "HAS_PSK", 1);
#endif #endif
#ifdef SSL_VERIFY_POST_HANDSHAKE
addbool(m, "HAS_PHA", 1);
#else
addbool(m, "HAS_PHA", 0);
#endif
#undef addbool #undef addbool
#undef ADD_INT_CONST #undef ADD_INT_CONST