Bug 1726743

Summary: python-requests / urllib3: Enable post-handshake authentication for TLS 1.3
Product: Red Hat Enterprise Linux 8 Reporter: Christian Heimes <cheimes>
Component: python-urllib3Assignee: Lumír Balhar <lbalhar>
Status: CLOSED ERRATA QA Contact: Anna Khaitovich <akhaitov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: akhaitov, cheimes, cstratak, lbalhar, pviktori, torsava
Target Milestone: rcKeywords: Reproducer
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-urllib3-1.24.2-3.el8 Doc Type: Release Note
Doc Text:
python-urllib3 now enables post handshake authentication for TLS 1.3 connections. This feature allows for conditional client cert authentication with TLS 1.3
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:44:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1725721, 1761380    
Bug Blocks: 1760850    

Description Christian Heimes 2019-07-03 15:36:16 UTC 
Description of problem:
urllib3 does not enable post-handshake authentication for TLS 1.3. PHA is required for conditional client cert authentication with TLS 1.3.

The problem affects Dogtag PKI and IPA. Dogtag uses python-requests in its client-side code.

Version-Release number of selected component (if applicable):
python-urllib3-1.24.2-2.el8

How reproducible:
always

Steps to Reproduce:
1. configure a web server to require TLS/SSL client cert authentication for some routes
2. make a connection with urllib3 and/or requests

Actual results:
Request fails because the client does not send the PHA TLS extension with ClientHello.

Expected results:
Client cert authentication with TLS 1.3 works.

Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1671353 contains a test scenario that can be easily adopted for urllib3 and requests.

https://github.com/urllib3/urllib3/pull/1635 is my PR for urllib3
Comment 2 Petr Viktorin (pviktori) 2019-07-16 13:07:47 UTC 
Can you get the PR merged upstream?
Comment 3 Petr Viktorin (pviktori) 2019-08-13 13:17:49 UTC 
Christian, can you get the upstream PR merged?
Comment 4 Christian Heimes 2019-08-14 11:55:16 UTC 
Upstream CI was failing for my PR. I have rebased my PR and added an additional test case. Let's see if that good enough for upstream.
Comment 5 Christian Heimes 2019-08-19 07:40:16 UTC 
The fix has landed in upstream commit https://github.com/urllib3/urllib3/commit/6a626be4ff623c25270e20db9002705bf4504e4e
Comment 6 Petr Viktorin (pviktori) 2019-08-27 13:17:00 UTC 
The upstream patch includes a test in test_ssl.py.
Comment 7 Lumír Balhar 2019-08-28 12:51:47 UTC 
I think that the upstream patch can be easily backported. I'm gonna take a look at that.
Comment 8 Lumír Balhar 2019-08-28 13:25:03 UTC 
Commit (my fork, rhel-8.1.0 branch): https://src.osci.redhat.com/fork/lbalhar/rpms/python-urllib3/c/93afaf1e8139d2b8d3c7a2e67838cc501bab2857?branch=rhel-8.1.0
Scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=23218840

The patch contains also a test and bug #1671353 contains also some info about testing this so I think that no new tests are needed.

I also had to update RECENT_DATE variable in src/urllib3/connection.py because there is a test for that. I did it in %prep section via sed so it's easily doable again in the future.

Patch is waiting for rhel-8.2.0 branch but it's already ready for a review.
Comment 9 Lumír Balhar 2019-10-22 13:32:43 UTC 
PR for RHEL 8.2: https://src.osci.redhat.com/rpms/python-urllib3/pull-request/7
Comment 10 Lumír Balhar 2019-10-22 13:44:20 UTC 
Test is backported as well - function `test_create_urllib3_context_pha` in `test/test_ssl.py`.
Comment 11 Lumír Balhar 2019-10-25 05:40:01 UTC 
Build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=24244264
Comment 15 errata-xmlrpc 2020-04-28 16:44:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1793