This bug was initially created as a copy of Bug #1726743
I am copying this bug because:
FreeIPA and Dogtag PKI require the fix to become compatible with TLS 1.3. FreeIPA has TLS 1.3 disabled on the server-side. We like to enable it to comply with system-wide crypto policies.
Description of problem:
urllib3 does not enable post-handshake authentication for TLS 1.3. PHA is required for conditional client cert authentication with TLS 1.3.
The problem affects Dogtag PKI and IPA. Dogtag uses python-requests in its client-side code.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure a web server to require TLS/SSL client cert authentication for some routes
2. make a connection with urllib3 and/or requests
Request fails because the client does not send the PHA TLS extension with ClientHello.
Client cert authentication with TLS 1.3 works.
https://bugzilla.redhat.com/show_bug.cgi?id=1671353 contains a test scenario that can be easily adopted for urllib3 and requests.
https://github.com/urllib3/urllib3/pull/1635 is my PR for urllib3
The fix is available in urllib3 1.25.4. The fix requires Python 3.7.4 or newer with fix https://bugs.python.org/issue37428 .
Could you please update urllib3 to 1.25.5 or newer on Fedora 30, 31, and rawhide? 1.25.3 does not support TLS 1.3 post-handshake authentication and blocks FreeIPA from using TLS 1.3.
Gah, sorry, I got distracted while building it and never filed updates. I probably need to start dropping packages I claim to maintain, but don't really. Anyway, I filed updates for f31 and f30. I can't seem to associate this bug with the bodhi update (I guess the new bodhi broke a lot of stuff). Sorry again for the delay.
The update is broken because the python-requests depends on python3.7dist(urllib3) < 1.25, see https://bodhi.fedoraproject.org/updates/FEDORA-2019-9ca3bd3d44#comment-1135346
It's a problem with python-requests 2.21 on Fedora 30. The dist git for F30 has been updated to 2.22, but the update was never built and pushed to stable.
This looks to be resolved now with python-urllib3-1.25.7-1.fc30 and python-requests-2.22.0-2.fc30 available.