bpo-37440: Enable TLS 1.3 post-handshake auth in http.client

[tiran]

Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.

https://bugs.python.org/issue37440

[ned-deily]

Anything we can do to expedite this? It's currently blocking 3.7.4 final and could shortly block 3.8.0 b2. @alex, would you be able to review this? Thanks!

[alex]

I don't think I understand this well enough to really review it -- why don't we always set post_handshake_auth when using TLS 1.3 and client certs?

[tiran]

@alex OpenSSL disables PHA by default because clients must be able to handle it. An application protocol must deal with fact that there is an additional TCP roundtrip involved.

[orsenthil]

Hi @tiran - I reviewed after understanding the relevant context here:

• https://bugs.python.org/issue34670
  and
• 9fb051f#diff-452aa9cf86b07b29d66846b6d0a86687

Especially this part for SSLContext.post_handshake_auth

>    .. note::
      Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3
      support, the property value is None and can't be modified

• The changes look good to me, and tests are helpful to understand the change.
• The review discussion with Alex was helpful to understand why the value is not to True by default.

I am giving my approval, but if you desire additional review+approval, please do seek out to other core-devs.

Thanks!

[miss-islington]

Sorry, I can't merge this PR. Reason: Base branch was modified. Review and try the merge again..

[miss-islington]

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.7, 3.8.
🐍🍒⛏🤖

[bedevere-bot]

GH-14495 is a backport of this pull request to the 3.8 branch.

[bedevere-bot]

GH-14496 is a backport of this pull request to the 3.7 branch.

[miss-islington]

Sorry, @tiran, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker d1bd6e79da1ee56dc1b902d804216ffd267399db 2.7