Add support for TLS 1.3 Post Handshake Auth (#82063)

TLS 1.3 adds a different method it can use to request a client
certificate after the handshake but Python does not allow this by
default. This commit sets the attribute needed to enable this scenario
when using client certificates on Python 3.8+, 3.7.1+.
pull/82085/head
Jordan Borean 1 year ago committed by GitHub
parent f5a0c0dfc8
commit b34f4a559f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1,2 @@
minor_changes:
- urls - Add support for TLS 1.3 post handshake certificate authentication - https://github.com/ansible/ansible/issues/81782

@ -496,6 +496,12 @@ def make_context(cafile=None, cadata=None, capath=None, ciphers=None, validate_c
context.set_ciphers(':'.join(map(to_native, ciphers)))
if client_cert:
# TLS 1.3 needs this to be set to True to allow post handshake cert
# authentication. This functionality was added in Python 3.8 and was
# backported to 3.6.7, and 3.7.1 so needs a check for now.
if hasattr(context, "post_handshake_auth"):
context.post_handshake_auth = True
context.load_cert_chain(client_cert, keyfile=client_key)
return context

Loading…
Cancel
Save