1761403 – python-requests / urllib3: Enable post-handshake authentication for TLS 1.3

Bug 1761403 - python-requests / urllib3: Enable post-handshake authentication for TLS 1.3

Summary: python-requests / urllib3: Enable post-handshake authentication for TLS 1.3

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python-urllib3
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Fedora Infrastructure SIG
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-14 10:48 UTC by Christian Heimes
Modified:	2020-03-22 19:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-03-22 19:42:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christian Heimes 2019-10-14 10:48:04 UTC

This bug was initially created as a copy of Bug #1726743

I am copying this bug because: 
FreeIPA and Dogtag PKI require the fix to become compatible with TLS 1.3. FreeIPA has TLS 1.3 disabled on the server-side. We like to enable it to comply with system-wide crypto policies.


Description of problem:
urllib3 does not enable post-handshake authentication for TLS 1.3. PHA is required for conditional client cert authentication with TLS 1.3.

The problem affects Dogtag PKI and IPA. Dogtag uses python-requests in its client-side code.

Version-Release number of selected component (if applicable):
python-urllib3-1.24.2-2.el8

How reproducible:
always

Steps to Reproduce:
1. configure a web server to require TLS/SSL client cert authentication for some routes
2. make a connection with urllib3 and/or requests

Actual results:
Request fails because the client does not send the PHA TLS extension with ClientHello.

Expected results:
Client cert authentication with TLS 1.3 works.

Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1671353 contains a test scenario that can be easily adopted for urllib3 and requests.

https://github.com/urllib3/urllib3/pull/1635 is my PR for urllib3

Comment 1 Christian Heimes 2019-10-14 10:51:35 UTC

The fix is available in urllib3 1.25.4. The fix requires Python 3.7.4 or newer with fix https://bugs.python.org/issue37428 .

Comment 2 Christian Heimes 2019-11-13 08:07:09 UTC

Could you please update urllib3 to 1.25.5 or newer on Fedora 30, 31, and rawhide? 1.25.3 does not support TLS 1.3 post-handshake authentication and blocks FreeIPA from using TLS 1.3.

Comment 3 Jeremy Cline 2019-11-13 16:28:27 UTC

Gah, sorry, I got distracted while building it and never filed updates. I probably need to start dropping packages I claim to maintain, but don't really. Anyway, I filed updates for f31 and f30. I can't seem to associate this bug with the bodhi update (I guess the new bodhi broke a lot of stuff). Sorry again for the delay.

Comment 4 Christian Heimes 2019-11-15 09:48:08 UTC

The update is broken because the python-requests depends on python3.7dist(urllib3) < 1.25, see https://bodhi.fedoraproject.org/updates/FEDORA-2019-9ca3bd3d44#comment-1135346

Comment 5 Christian Heimes 2019-11-15 09:59:17 UTC

It's a problem with python-requests 2.21 on Fedora 30. The dist git for F30 has been updated to 2.22, but the update was never built and pushed to stable.

Comment 6 Carl George 🤠 2020-03-22 19:42:51 UTC

This looks to be resolved now with python-urllib3-1.25.7-1.fc30 and python-requests-2.22.0-2.fc30 available.

Note You need to log in before you can comment on or make changes to this bug.