Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow CPython to build against cryptography libraries lacking post-handshake authentication #117784

Closed
WillChilds-Klein opened this issue Apr 11, 2024 · 2 comments
Closed

Allow CPython to build against cryptography libraries lacking post-handshake authentication #117784

WillChilds-Klein opened this issue Apr 11, 2024 · 2 comments
Labels
extension-modules C modules in the Modules dir topic-SSL type-feature A feature request or enhancement

Comments

@WillChilds-Klein
Copy link
Contributor

WillChilds-Klein commented Apr 11, 2024
edited
Loading

Feature or enhancement

Proposal:

As part of a series of changes discussed on the python Ideas board, this issue proposes placing guards around references to TLSv1.3 post-handshake authentication (PHA). This would CPython to build against cryptography libraries lacking full PHA support.

Has this already been discussed elsewhere?

I have already discussed this feature proposal on Discourse

Links to previous discussion of this feature:

https://discuss.python.org/t/support-building-ssl-and-hashlib-modules-against-aws-lc/44505/9

Linked PRs
@WillChilds-Klein WillChilds-Klein added the type-feature A feature request or enhancement label Apr 11, 2024
@AlexWaygood AlexWaygood changed the title Allow CPython to build against cryptography libraries lacking post-handshake authentiction Allow CPython to build against cryptography libraries lacking post-handshake authentication Apr 11, 2024
@bedevere-app bedevere-app bot mentioned this issue Apr 11, 2024
Merged
@arhadthedev arhadthedev added extension-modules C modules in the Modules dir topic-SSL labels Apr 12, 2024
encukou pushed a commit that referenced this issue Jul 1, 2024
@WillChilds-Klein
gh-117784: Only reference PHA functions ifndef SSL_VERIFY_POST_HANDSH…
56a3ce2 
…AKE (GH-117785)

With this change, builds with OpenSSL forks that don't have this functionalty
(like AWS-LC or BoringSSL) will require less patching.
@encukou
Copy link
Member

encukou commented Jul 1, 2024

Thanks!
As this is meant for unsupported builds, I'll not backport to 3.13. Y'all already have patching mechanism :)

Do you want to send more PRs for this issue?

@WillChilds-Klein
Copy link
Contributor Author

No more PRs needed unless you'd like me to add an AWS-LC integration test to CPython's CI. Thank you for your reviews!

Akasurde pushed a commit to Akasurde/cpython that referenced this issue Jul 3, 2024
@WillChilds-Klein @Akasurde
pythongh-117784: Only reference PHA functions ifndef SSL_VERIFY_POST_…
939ef43 
…HANDSHAKE (pythonGH-117785)

With this change, builds with OpenSSL forks that don't have this functionalty
(like AWS-LC or BoringSSL) will require less patching.
noahbkim pushed a commit to hudson-trading/cpython that referenced this issue Jul 11, 2024
@WillChilds-Klein @noahbkim
pythongh-117784: Only reference PHA functions ifndef SSL_VERIFY_POST_…
e9bc192 
…HANDSHAKE (pythonGH-117785)

With this change, builds with OpenSSL forks that don't have this functionalty
(like AWS-LC or BoringSSL) will require less patching.
estyxx pushed a commit to estyxx/cpython that referenced this issue Jul 17, 2024
@WillChilds-Klein @estyxx
pythongh-117784: Only reference PHA functions ifndef SSL_VERIFY_POST_…
ba00904 
…HANDSHAKE (pythonGH-117785)

With this change, builds with OpenSSL forks that don't have this functionalty
(like AWS-LC or BoringSSL) will require less patching.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
extension-modules C modules in the Modules dir topic-SSL type-feature A feature request or enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@encukou @WillChilds-Klein @arhadthedev