mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 00:48:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448)

Browse source 
Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.


https://bugs.python.org/issue37440
This commit is contained in:
Christian Heimes 2019-07-01 08:32:24 +02:00 committed by Miss Islington (bot)
parent f0f5930ac8
commit d1bd6e79da
4 changed files with 32 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Lib/http/client.py
View file

@ -1358,6 +1358,9 @@ else:
self.cert_file = cert_file
if context is None:
context = ssl._create_default_https_context()
# enable PHA for TLS 1.3 connections if available
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
will_verify = context.verify_mode != ssl.CERT_NONE
if check_hostname is None:
check_hostname = context.check_hostname
@ -1366,6 +1369,10 @@ else:
"either CERT_OPTIONAL or CERT_REQUIRED")
if key_file or cert_file:
context.load_cert_chain(cert_file, key_file)
# cert and key file means the user wants to authenticate.
# enable TLS 1.3 PHA implicitly even for custom contexts.
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
self._context = context
if check_hostname is not None:
self._context.check_hostname = check_hostname