Add ssl.HAS_PHA to detect libssl PHA support #128035
Labels
extension-modules
C modules in the Modules dir
topic-SSL
type-feature
A feature request or enhancement
Comments
gpshead
pushed a commit
that referenced
this issue
Dec 24, 2024
* Add ssl.HAS_PHA to detect libssl Post-Handshake-Auth support Co-authored-by: Tomas R. <[email protected]> Co-authored-by: Bénédikt Tran <[email protected]>
|
thanks, merged! |
srinivasreddy
pushed a commit
to srinivasreddy/cpython
that referenced
this issue
Jan 8, 2025
…GH-128036) * Add ssl.HAS_PHA to detect libssl Post-Handshake-Auth support Co-authored-by: Tomas R. <[email protected]> Co-authored-by: Bénédikt Tran <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature or enhancement
Proposal:
TLSv1.3 post-handshake client authentication (PHA), often referred to as "mutual TLS" or "mTLS", allows TLS servers to authenticate client identities using digital certificates. Some TLS libraries do not implement PHA, including actively maintained and widely used libraries such as AWS-LC and BoringSSL.
This issue proposes the addition of a boolean property
ssl.HAS_PHAto indicate whether the crypto library CPython is built against supports PHA, allowing python's test suite and consuming modules to branch accordingly.This feature has precedent in the
ssl.HAS_PSKflag indicating support for another TLS feature that is not universally implemented across TLS libraries.Has this already been discussed elsewhere?
This is a minor feature, which does not need previous discussion elsewhere
Links to previous discussion of this feature:
Related changes to increase libcrypto/libssl compatibility (specifically with AWS-LC) have been discussed with the community here.
Linked PRs
The text was updated successfully, but these errors were encountered: