Bug 1632660

Summary: TLSv1.3 - enable post-handshake auth
Product: [Fedora] Fedora Reporter: Joe Orton <jorton>
Component: perl-IO-Socket-SSLAssignee: Petr Pisar <ppisar>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: alexl, caillon+fedoraproject, jose.p.oliveira.oss, mbarnes, paul, perl-devel, ppisar, rhughes, sandmann
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: perl-IO-Socket-SSL-2.060-4.fc30 perl-IO-Socket-SSL-2.060-3.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1633636 (view as bug list) Environment:
Last Closed: 2019-02-14 01:58:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
PoC patch none

Description Joe Orton 2018-09-25 10:35:43 UTC 
Created attachment 1486709 [details]
PoC patch

Description of problem:
Post-handshake auth is disabled by default with TLSv1.3.  IMO this is an error but upstream don't seem inclined to reverse it atm, see 
https://github.com/openssl/openssl/issues/6933

Version-Release number of selected component (if applicable):
perl-IO-Socket-SSL-2.059-2.fc29

How reproducible:
always

Steps to Reproduce:
1. try using TLSv1.3 post-handshake auth

Actual results:
fail

Expected results:
success

Additional info:
Can provide more detailed repro case if required.
Comment 1 Joe Orton 2018-09-25 10:37:18 UTC 
Patch should be conditional on Net::SSLeay exposing Net::SSLeay::CTX_set_post_handshake_auth which is done in f29 per bug 1630391, not sure how best to do that.
Comment 2 Paul Howarth 2018-09-25 12:17:19 UTC 
(In reply to Joe Orton from comment #1)
> Patch should be conditional on Net::SSLeay exposing
> Net::SSLeay::CTX_set_post_handshake_auth which is done in f29 per bug
> 1630391, not sure how best to do that.

Probably by using a $can_pha variable, like $can_npn, $can_alpn, $can_ocsp etc., which are set in the BEGIN block of lib/IO/Socket/SSL.pm.
Comment 3 Joe Orton 2019-01-26 10:26:34 UTC 
https://github.com/noxxi/p5-io-socket-ssl/pull/80
Comment 4 Petr Pisar 2019-02-08 12:48:21 UTC 
Paul, if you don't mind, I will apply that patch. I have an intermittent test for that that I will include. (It uses openssl tool, once IO-Socket-SSL obtains server-side support for PHA the test will be rewritten without the openssl tool.)
Comment 5 Paul Howarth 2019-02-08 14:22:38 UTC 
Petr, go ahead. I was going to wait until upstream commented on the PR but that doesn't appear to be happening at the moment.
Comment 6 Fedora Update System 2019-02-11 07:55:36 UTC 
perl-IO-Socket-SSL-2.060-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8d92841c14
Comment 7 Fedora Update System 2019-02-12 02:50:00 UTC 
perl-IO-Socket-SSL-2.060-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8d92841c14
Comment 8 Fedora Update System 2019-02-14 01:58:04 UTC 
perl-IO-Socket-SSL-2.060-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.