From 7293bec3b39a11a17f1ffc3a1e2f179356de2b07 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Tue, 17 Dec 2024 16:16:58 +0000 Subject: [PATCH 1/9] Add ssl.HAS_PHA to detect libssl PHA support --- Doc/library/ssl.rst | 6 ++++++ Lib/ssl.py | 2 +- Lib/test/test_httplib.py | 4 ++-- Lib/test/test_ssl.py | 3 ++- Modules/_ssl.c | 6 ++++++ 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index b7fb1fc07d199f..349a1bbe89720f 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -934,6 +934,12 @@ Constants .. versionadded:: 3.13 +.. data:: HAS_PHA + + Whether the OpenSSL library has built-in support for TLS post-handshake auth (PHA). + + .. versionadded:: 3.14 + .. data:: CHANNEL_BINDING_TYPES List of supported TLS channel binding types. Strings in this list diff --git a/Lib/ssl.py b/Lib/ssl.py index c8703b046cfd4b..05df4ad7f0f05c 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -116,7 +116,7 @@ from _ssl import ( HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1, - HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK + HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA ) from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index 9d853d254db7c6..4260c42eb0c599 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -2073,8 +2073,8 @@ def test_host_port(self): def test_tls13_pha(self): import ssl - if not ssl.HAS_TLSv1_3: - self.skipTest('TLS 1.3 support required') + if not ssl.HAS_TLSv1_3 or not ssl.HAS_PHA: + self.skipTest('TLS 1.3 post-handshake auth (PHA) support required') # just check status of PHA flag h = client.HTTPSConnection('localhost', 443) self.assertTrue(h._context.post_handshake_auth) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 3f6f890bbdc658..c16ef3f96f9a21 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4494,7 +4494,8 @@ def server_callback(identity): s.connect((HOST, server.port)) -@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3") +@unittest.skipUnless(has_tls_version('TLSv1_3') and ssl.HAS_PHA, + "Test needs TLS 1.3 PHA") class TestPostHandshakeAuth(unittest.TestCase): def test_pha_setter(self): protocols = [ diff --git a/Modules/_ssl.c b/Modules/_ssl.c index e7df132869fee6..74cf99957389e2 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -6553,6 +6553,12 @@ sslmodule_init_constants(PyObject *m) addbool(m, "HAS_PSK", 1); #endif +#ifdef SSL_VERIFY_POST_HANDSHAKE + addbool(m, "HAS_PHA", 1); +#else + addbool(m, "HAS_PHA", 0); +#endif + #undef addbool #undef ADD_INT_CONST From 9543715d7c381a530ee098bdac4de1bda779122f Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 18:20:40 +0000 Subject: [PATCH 2/9] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst new file mode 100644 index 00000000000000..b7a36a14d4b628 --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst @@ -0,0 +1 @@ +TLSv1.3 post-handshake client authentication (PHA), often referred to as "mutual TLS" or "mTLS", allows TLS servers to authenticate client identities using digital certificates. This commit exposes a boolean property `ssl.HAS_PHA` to indicate whether the crypto library CPython is built against supports PHA, allowing python's test suite and consuming modules to branch accordingly. From 0c8f5ddfac8cf7cb2d9a6978c28834af0a3eb3e7 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Tue, 17 Dec 2024 13:21:48 -0500 Subject: [PATCH 3/9] Update Doc/library/ssl.rst Co-authored-by: Tomas R. --- Doc/library/ssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 349a1bbe89720f..76e99fa2f53281 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -938,7 +938,7 @@ Constants Whether the OpenSSL library has built-in support for TLS post-handshake auth (PHA). - .. versionadded:: 3.14 + .. versionadded:: next .. data:: CHANNEL_BINDING_TYPES From fcb7190187183464e207b092280360b108a436b2 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Tue, 17 Dec 2024 18:35:49 +0000 Subject: [PATCH 4/9] Fix news lint --- .../2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst index b7a36a14d4b628..720950ba2b389c 100644 --- a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst +++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst @@ -1 +1 @@ -TLSv1.3 post-handshake client authentication (PHA), often referred to as "mutual TLS" or "mTLS", allows TLS servers to authenticate client identities using digital certificates. This commit exposes a boolean property `ssl.HAS_PHA` to indicate whether the crypto library CPython is built against supports PHA, allowing python's test suite and consuming modules to branch accordingly. +TLSv1.3 post-handshake client authentication (PHA), often referred to as "mutual TLS" or "mTLS", allows TLS servers to authenticate client identities using digital certificates. This commit exposes a boolean property ``ssl.HAS_PHA`` to indicate whether the crypto library CPython is built against supports PHA, allowing python's test suite and consuming modules to branch accordingly. From f7850fd8bbd1e2ae15bc844386b8b17368ac94e2 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Tue, 17 Dec 2024 15:04:43 -0500 Subject: [PATCH 5/9] Update Doc/library/ssl.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- Doc/library/ssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 76e99fa2f53281..fc07f7fbebc9af 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -936,7 +936,7 @@ Constants .. data:: HAS_PHA - Whether the OpenSSL library has built-in support for TLS post-handshake auth (PHA). + Whether the OpenSSL library has built-in support for TLS-PHA. .. versionadded:: next From 57ce78f1ce7618d41cd1af19cae5c87c838cb673 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Tue, 17 Dec 2024 15:04:51 -0500 Subject: [PATCH 6/9] Update Lib/test/test_httplib.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- Lib/test/test_httplib.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index 4260c42eb0c599..89963dadeb152b 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -2074,7 +2074,7 @@ def test_host_port(self): def test_tls13_pha(self): import ssl if not ssl.HAS_TLSv1_3 or not ssl.HAS_PHA: - self.skipTest('TLS 1.3 post-handshake auth (PHA) support required') + self.skipTest('TLS 1.3 PHA support required') # just check status of PHA flag h = client.HTTPSConnection('localhost', 443) self.assertTrue(h._context.post_handshake_auth) From 65e6a0d1c09382c19c565752f2d38edeac89f3bd Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Tue, 17 Dec 2024 20:10:45 +0000 Subject: [PATCH 7/9] Shorten news entry, update whatsnew --- Doc/whatsnew/3.14.rst | 6 ++++++ .../2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst index 342456cbc397f3..5305020a6d5404 100644 --- a/Doc/whatsnew/3.14.rst +++ b/Doc/whatsnew/3.14.rst @@ -591,6 +591,12 @@ symtable (Contributed by Bénédikt Tran in :gh:`120029`.) +ssl +--- + +* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 + post-handshake client authentication (PHA). (Contributed by Will Childs-Klein in + :gh:`128036`.) sys --- diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst index 720950ba2b389c..27815d48425334 100644 --- a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst +++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst @@ -1 +1 @@ -TLSv1.3 post-handshake client authentication (PHA), often referred to as "mutual TLS" or "mTLS", allows TLS servers to authenticate client identities using digital certificates. This commit exposes a boolean property ``ssl.HAS_PHA`` to indicate whether the crypto library CPython is built against supports PHA, allowing python's test suite and consuming modules to branch accordingly. +Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 post-handshake client authentication (PHA). Patch by Will Childs-Klein. From 63df08158ef66dc13db5e30e7f860424b3fb9d93 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Tue, 17 Dec 2024 21:38:09 +0000 Subject: [PATCH 8/9] Move whatsnew section --- Doc/whatsnew/3.14.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst index 5305020a6d5404..8bd2e8768b8baa 100644 --- a/Doc/whatsnew/3.14.rst +++ b/Doc/whatsnew/3.14.rst @@ -580,6 +580,13 @@ pydoc (Contributed by Jelle Zijlstra in :gh:`101552`.) +ssl +--- + +* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 + post-handshake client authentication (PHA). (Contributed by Will Childs-Klein in + :gh:`128036`.) + symtable -------- @@ -591,13 +598,6 @@ symtable (Contributed by Bénédikt Tran in :gh:`120029`.) -ssl ---- - -* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 - post-handshake client authentication (PHA). (Contributed by Will Childs-Klein in - :gh:`128036`.) - sys --- From a3548a8cafd6641f99d824aef73b8643dde56493 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Mon, 23 Dec 2024 13:18:19 +0000 Subject: [PATCH 9/9] Fix whatsnew formatting --- Doc/whatsnew/3.14.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst index 8bd2e8768b8baa..10b26eb6c366b8 100644 --- a/Doc/whatsnew/3.14.rst +++ b/Doc/whatsnew/3.14.rst @@ -583,9 +583,10 @@ pydoc ssl --- -* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 - post-handshake client authentication (PHA). (Contributed by Will Childs-Klein in - :gh:`128036`.) +* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports + TLSv1.3 post-handshake client authentication (PHA). + (Contributed by Will Childs-Klein in :gh:`128036`.) + symtable -------- @@ -598,6 +599,7 @@ symtable (Contributed by Bénédikt Tran in :gh:`120029`.) + sys ---