[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Change by Benjamin Peterson : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Irit Katriel added the comment: Can this be closed? 2.7 is no longer relevant. -- nosy: +iritkatriel ___ Python tracker ___ ___ Pyt

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Benjamin Peterson added the comment: Yes, please. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Christian Heimes added the comment: 3.7 to 3.9 are fixed. Benjamin, do you want the fix in 2.7? -- priority: release blocker -> high ___ Python tracker ___ __

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Łukasz Langa added the comment: Should this be closed? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: htt

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Ned Deily added the comment: New changeset 5b45fb0a449543fab6e7b606e51b739cb316d3c4 by Ned Deily (Miss Islington (bot)) in branch '3.7': [3.7] bpo-37428: Don't set PHA verify flag on client side (GH-14421) (GH-14493) https://github.com/python/cpython/commit/5b45fb0a449543fab6e7b606e51b739cb31

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Christian Heimes added the comment: New changeset f22c4cf11d10f52faa86e0b308dd28f11819efd8 by Christian Heimes in branch '3.8': [3.8] bpo-37428: Don't set PHA verify flag on client side (GH-14494) https://github.com/python/cpython/commit/f22c4cf11d10f52faa86e0b308dd28f11819efd8 --

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

miss-islington added the comment: New changeset cf7617460a920dd75ced017792045d3ae77648ad by Miss Islington (bot) in branch '3.7': [3.7] bpo-37428: Don't set PHA verify flag on client side (GH-14421) (GH-14493) https://github.com/python/cpython/commit/cf7617460a920dd75ced017792045d3ae77648ad

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Change by Christian Heimes : -- pull_requests: +14310 pull_request: https://github.com/python/cpython/pull/14494 ___ Python tracker ___

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Change by miss-islington : -- pull_requests: +14309 pull_request: https://github.com/python/cpython/pull/14493 ___ Python tracker ___ __

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

miss-islington added the comment: New changeset f0f5930ac88482ef896283db5be9b8d508d077db by Miss Islington (bot) (Christian Heimes) in branch 'master': bpo-37428: Don't set PHA verify flag on client side (GH-14421) https://github.com/python/cpython/commit/f0f5930ac88482ef896283db5be9b8d508d07

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Change by Florian Bruhin : -- nosy: +The Compiler ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mai

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Ned Deily added the comment: Christian, do you have an estimate for when these issues will be resolved? We are holding 3.7.4 right now. -- nosy: +benjamin.peterson, lukasz.langa priority: deferred blocker -> release blocker ___ Python tracker

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Christian Heimes added the comment: There are currently two issues with TLS 1.3 in Python. The issue https://bugs.python.org/issue37440 can be worked around easily with a custom SSLContext. This issue is a bigger problem because there is no possible workaround. The bug is going to break app

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Ned Deily added the comment: "Assuming no critical problems are found prior to 2019-06-28, no code changes are planned between these release candidates and the final releases." We were planning to start producing the final release artifacts in a couple of hours so we need to make a decision

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Christian Heimes added the comment: This issue breaks some stuff at work. I would appreciate if we can get the fix into 3.7.4. I wasn't aware that we are so close to cut-off to 3.7.4 release. What does the fix do? I moved all PHA related flags / options from SSL_CTX* to SSL*. The flags and

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Ned Deily added the comment: Christian, just confirming that, since you have not set this as a "release blocker", 3.7.4 will go out without it. -- nosy: +ned.deily ___ Python tracker ___

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

Change by Christian Heimes : -- keywords: +patch pull_requests: +14237 stage: -> patch review pull_request: https://github.com/python/cpython/pull/14421 ___ Python tracker ___

[issue37428] SSLContext.post_handshake_auth implicitly enables cert validation

New submission from Christian Heimes : Enabling TLS 1.3 post handshake auth also enables cert chain validation. OpenSSL documents SSL_VERIFY_POST_HANDSHAKE as ignored for client side. However tls_process_server_certificate in the client state machine code does not ignore the flag and checks f