Bug 1761403

Summary: python-requests / urllib3: Enable post-handshake authentication for TLS 1.3
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: python-urllib3Assignee: Fedora Infrastructure SIG <infra-sig>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: aurelien, carl, infra-sig, jcline, jeremy
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-22 19:42:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Heimes 2019-10-14 10:48:04 UTC 
This bug was initially created as a copy of Bug #1726743

I am copying this bug because: 
FreeIPA and Dogtag PKI require the fix to become compatible with TLS 1.3. FreeIPA has TLS 1.3 disabled on the server-side. We like to enable it to comply with system-wide crypto policies.


Description of problem:
urllib3 does not enable post-handshake authentication for TLS 1.3. PHA is required for conditional client cert authentication with TLS 1.3.

The problem affects Dogtag PKI and IPA. Dogtag uses python-requests in its client-side code.

Version-Release number of selected component (if applicable):
python-urllib3-1.24.2-2.el8

How reproducible:
always

Steps to Reproduce:
1. configure a web server to require TLS/SSL client cert authentication for some routes
2. make a connection with urllib3 and/or requests

Actual results:
Request fails because the client does not send the PHA TLS extension with ClientHello.

Expected results:
Client cert authentication with TLS 1.3 works.

Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1671353 contains a test scenario that can be easily adopted for urllib3 and requests.

https://github.com/urllib3/urllib3/pull/1635 is my PR for urllib3
Comment 1 Christian Heimes 2019-10-14 10:51:35 UTC 
The fix is available in urllib3 1.25.4. The fix requires Python 3.7.4 or newer with fix https://bugs.python.org/issue37428 .
Comment 2 Christian Heimes 2019-11-13 08:07:09 UTC 
Could you please update urllib3 to 1.25.5 or newer on Fedora 30, 31, and rawhide? 1.25.3 does not support TLS 1.3 post-handshake authentication and blocks FreeIPA from using TLS 1.3.
Comment 3 Jeremy Cline 2019-11-13 16:28:27 UTC 
Gah, sorry, I got distracted while building it and never filed updates. I probably need to start dropping packages I claim to maintain, but don't really. Anyway, I filed updates for f31 and f30. I can't seem to associate this bug with the bodhi update (I guess the new bodhi broke a lot of stuff). Sorry again for the delay.
Comment 4 Christian Heimes 2019-11-15 09:48:08 UTC 
The update is broken because the python-requests depends on python3.7dist(urllib3) < 1.25, see https://bodhi.fedoraproject.org/updates/FEDORA-2019-9ca3bd3d44#comment-1135346
Comment 5 Christian Heimes 2019-11-15 09:59:17 UTC 
It's a problem with python-requests 2.21 on Fedora 30. The dist git for F30 has been updated to 2.22, but the update was never built and pushed to stable.
Comment 6 Carl George 🤠 2020-03-22 19:42:51 UTC 
This looks to be resolved now with python-urllib3-1.25.7-1.fc30 and python-requests-2.22.0-2.fc30 available.