[New-bugs-announce] [issue37428] SSLContext.post_handshake_auth implicitly enables cert validation
Christian Heimes
report at bugs.python.org
Thu Jun 27 06:33:29 EDT 2019
New submission from Christian Heimes <lists at cheimes.de>:
Enabling TLS 1.3 post handshake auth also enables cert chain validation. OpenSSL documents SSL_VERIFY_POST_HANDSHAKE as ignored for client side. However tls_process_server_certificate in the client state machine code does not ignore the flag and checks for a correct cert chain.
see https://github.com/openssl/openssl/issues/9259 and https://github.com/openssl/openssl/blob/743694a6c29e5a6387819523fad5e3b7e613f1ee/ssl/statem/statem_clnt.c#L1899-L1918
----------
assignee: christian.heimes
components: SSL
messages: 346725
nosy: christian.heimes
priority: high
severity: normal
status: open
title: SSLContext.post_handshake_auth implicitly enables cert validation
type: behavior
versions: Python 2.7, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37428>
_______________________________________
More information about the New-bugs-announce
mailing list