Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / d1bd6e79da1ee56dc1b902d804216ffd267399db^! / . / Lib / http / client.py
commitd1bd6e79da1ee56dc1b902d804216ffd267399db[log] [tgz]
authorChristian Heimes <christian@python.org>Mon Jul 01 08:32:24 2019 +0200
committerMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Sun Jun 30 23:32:24 2019 -0700
treec32216e1fd61cf6668990889fe8dabc5184577b9
parentf0f5930ac88482ef896283db5be9b8d508d077db [diff] [blame]
bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448)



Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.


https://bugs.python.org/issue37440
diff --git a/Lib/http/client.py b/Lib/http/client.py
index 82908eb..f61267e 100644
--- a/Lib/http/client.py
+++ b/Lib/http/client.py

@@ -1358,6 +1358,9 @@
             self.cert_file = cert_file
             if context is None:
                 context = ssl._create_default_https_context()
+                # enable PHA for TLS 1.3 connections if available
+                if context.post_handshake_auth is not None:
+                    context.post_handshake_auth = True
             will_verify = context.verify_mode != ssl.CERT_NONE
             if check_hostname is None:
                 check_hostname = context.check_hostname
@@ -1366,6 +1369,10 @@
                                  "either CERT_OPTIONAL or CERT_REQUIRED")
             if key_file or cert_file:
                 context.load_cert_chain(cert_file, key_file)
+                # cert and key file means the user wants to authenticate.
+                # enable TLS 1.3 PHA implicitly even for custom contexts.
+                if context.post_handshake_auth is not None:
+                    context.post_handshake_auth = True
             self._context = context
             if check_hostname is not None:
                 self._context.check_hostname = check_hostname