Bug 1761403 - python-requests / urllib3: Enable post-handshake authentication for TLS 1.3
Summary: python-requests / urllib3: Enable post-handshake authentication for TLS 1.3
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: python-urllib3
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Fedora Infrastructure SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-14 10:48 UTC by Christian Heimes
Modified: 2020-03-22 19:42 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-22 19:42:51 UTC
Type: ---


Attachments (Terms of Use)

Description Christian Heimes 2019-10-14 10:48:04 UTC
This bug was initially created as a copy of Bug #1726743

I am copying this bug because: 
FreeIPA and Dogtag PKI require the fix to become compatible with TLS 1.3. FreeIPA has TLS 1.3 disabled on the server-side. We like to enable it to comply with system-wide crypto policies.


Description of problem:
urllib3 does not enable post-handshake authentication for TLS 1.3. PHA is required for conditional client cert authentication with TLS 1.3.

The problem affects Dogtag PKI and IPA. Dogtag uses python-requests in its client-side code.

Version-Release number of selected component (if applicable):
python-urllib3-1.24.2-2.el8

How reproducible:
always

Steps to Reproduce:
1. configure a web server to require TLS/SSL client cert authentication for some routes
2. make a connection with urllib3 and/or requests

Actual results:
Request fails because the client does not send the PHA TLS extension with ClientHello.

Expected results:
Client cert authentication with TLS 1.3 works.

Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1671353 contains a test scenario that can be easily adopted for urllib3 and requests.

https://github.com/urllib3/urllib3/pull/1635 is my PR for urllib3

Comment 1 Christian Heimes 2019-10-14 10:51:35 UTC
The fix is available in urllib3 1.25.4. The fix requires Python 3.7.4 or newer with fix https://bugs.python.org/issue37428 .

Comment 2 Christian Heimes 2019-11-13 08:07:09 UTC
Could you please update urllib3 to 1.25.5 or newer on Fedora 30, 31, and rawhide? 1.25.3 does not support TLS 1.3 post-handshake authentication and blocks FreeIPA from using TLS 1.3.

Comment 3 Jeremy Cline 2019-11-13 16:28:27 UTC
Gah, sorry, I got distracted while building it and never filed updates. I probably need to start dropping packages I claim to maintain, but don't really. Anyway, I filed updates for f31 and f30. I can't seem to associate this bug with the bodhi update (I guess the new bodhi broke a lot of stuff). Sorry again for the delay.

Comment 4 Christian Heimes 2019-11-15 09:48:08 UTC
The update is broken because the python-requests depends on python3.7dist(urllib3) < 1.25, see https://bodhi.fedoraproject.org/updates/FEDORA-2019-9ca3bd3d44#comment-1135346

Comment 5 Christian Heimes 2019-11-15 09:59:17 UTC
It's a problem with python-requests 2.21 on Fedora 30. The dist git for F30 has been updated to 2.22, but the update was never built and pushed to stable.

Comment 6 Carl George 🤠 2020-03-22 19:42:51 UTC
This looks to be resolved now with python-urllib3-1.25.7-1.fc30 and python-requests-2.22.0-2.fc30 available.


Note You need to log in before you can comment on or make changes to this bug.