From: Will Childs-Klein Date: Tue, 24 Dec 2024 18:29:27 +0000 (-0600) Subject: gh-128035: Add ssl.HAS_PHA to detect libssl PHA support (GH-128036) X-Git-Tag: v3.14.0a4~199 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=418114c139666f33abff937e40ccbbbdce15bc39;p=thirdparty%2FPython%2Fcpython.git gh-128035: Add ssl.HAS_PHA to detect libssl PHA support (GH-128036) * Add ssl.HAS_PHA to detect libssl Post-Handshake-Auth support Co-authored-by: Tomas R. Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index f07d151a8856..9d7b6aa66cd4 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -934,6 +934,12 @@ Constants .. versionadded:: 3.13 +.. data:: HAS_PHA + + Whether the OpenSSL library has built-in support for TLS-PHA. + + .. versionadded:: next + .. data:: CHANNEL_BINDING_TYPES List of supported TLS channel binding types. Strings in this list diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst index 97a37a82f76b..0dcee56b7d23 100644 --- a/Doc/whatsnew/3.14.rst +++ b/Doc/whatsnew/3.14.rst @@ -584,6 +584,14 @@ pydoc (Contributed by Jelle Zijlstra in :gh:`101552`.) +ssl +--- + +* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports + TLSv1.3 post-handshake client authentication (PHA). + (Contributed by Will Childs-Klein in :gh:`128036`.) + + symtable -------- diff --git a/Lib/ssl.py b/Lib/ssl.py index c8703b046cfd..05df4ad7f0f0 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -116,7 +116,7 @@ except ImportError: from _ssl import ( HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1, - HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK + HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA ) from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index 9d853d254db7..89963dadeb15 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -2073,8 +2073,8 @@ class HTTPSTest(TestCase): def test_tls13_pha(self): import ssl - if not ssl.HAS_TLSv1_3: - self.skipTest('TLS 1.3 support required') + if not ssl.HAS_TLSv1_3 or not ssl.HAS_PHA: + self.skipTest('TLS 1.3 PHA support required') # just check status of PHA flag h = client.HTTPSConnection('localhost', 443) self.assertTrue(h._context.post_handshake_auth) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 3f6f890bbdc6..c16ef3f96f9a 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4494,7 +4494,8 @@ class ThreadedTests(unittest.TestCase): s.connect((HOST, server.port)) -@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3") +@unittest.skipUnless(has_tls_version('TLSv1_3') and ssl.HAS_PHA, + "Test needs TLS 1.3 PHA") class TestPostHandshakeAuth(unittest.TestCase): def test_pha_setter(self): protocols = [ diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst new file mode 100644 index 000000000000..27815d484253 --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst @@ -0,0 +1 @@ +Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 post-handshake client authentication (PHA). Patch by Will Childs-Klein. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index e7df132869fe..74cf99957389 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -6553,6 +6553,12 @@ sslmodule_init_constants(PyObject *m) addbool(m, "HAS_PSK", 1); #endif +#ifdef SSL_VERIFY_POST_HANDSHAKE + addbool(m, "HAS_PHA", 1); +#else + addbool(m, "HAS_PHA", 0); +#endif + #undef addbool #undef ADD_INT_CONST