Bug 1725721 - SSLContext.post_handshake_auth implicitly enables cert validation
Summary: SSLContext.post_handshake_auth implicitly enables cert validation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: python3
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Python Maintainers
QA Contact: Lukáš Zachar
URL:
Whiteboard:
Depends On:
Blocks: 1726743
TreeView+ depends on / blocked
 
Reported: 2019-07-01 10:18 UTC by Christian Heimes
Modified: 2019-11-05 22:04 UTC (History)
4 users (show)

Fixed In Version: python3-3.6.8-13.el8
Doc Type: Bug Fix
Doc Text:
Cause: Enabling TLS 1.3 post handshake authentication also enables cert chain validation implicitly on the client side, even though the SSL_VERIFY_POST_HANDSHAKE flag is supposed to be ignored by openssl on the client side. Consequence: SSL/TLS connections can fail with a cert validation error. Fix: SSLContext.post_handshake_auth = True no longer sets SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Result: SSL/TLS connections do not fail with a cert validation error when verify mode is set to CERT_NONE.
Clone Of:
Environment:
Last Closed: 2019-11-05 22:03:44 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Python 37428 None None None 2019-07-01 10:18:21 UTC
Red Hat Product Errata RHSA-2019:3520 None None None 2019-11-05 22:04:04 UTC

Description Christian Heimes 2019-07-01 10:18:21 UTC
Description of problem:
Enabling TLS 1.3 post handshake auth also enables cert chain validation. OpenSSL documents SSL_VERIFY_POST_HANDSHAKE as ignored for client side. However tls_process_server_certificate in the client state machine code does not ignore the flag and checks for a correct cert chain.

see https://github.com/openssl/openssl/issues/9259 and https://github.com/openssl/openssl/blob/743694a6c29e5a6387819523fad5e3b7e613f1ee/ssl/statem/statem_clnt.c#L1899-L1918

Version-Release number of selected component (if applicable):
python3-3.6.8-11.el8

How reproducible:
always

Steps to Reproduce:
See test case https://github.com/python/cpython/blob/fc1fbe6099e826e8304eadf781af7c10d739fc40/Lib/test/test_ssl.py#L4437-L4466

Actual results:
SSL/TLS connection fails with cert validation error

Expected results:
SSL/TLS connection should not fail with a cert validation error when verify mode is set to CERT_NONE

Additional info:

Comment 2 Tomas Orsava 2019-08-28 15:52:00 UTC
Hi Charris,
could you please add a doc type/text here?

Comment 6 errata-xmlrpc 2019-11-05 22:03:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3520


Note You need to log in before you can comment on or make changes to this bug.