Skip to content

gh-128035: Add ssl.HAS_PHA to detect libssl PHA support #128036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gpshead merged 9 commits into from
Dec 24, 2024
Merged

gh-128035: Add ssl.HAS_PHA to detect libssl PHA support #128036

gpshead merged 9 commits into from
Dec 24, 2024

Conversation

@WillChilds-Klein
Copy link
Contributor

@WillChilds-Klein WillChilds-Klein commented Dec 17, 2024
edited by github-actions bot
Loading

Notes

Please see #128035's description.

Testing

  • CPython CI
  • confirmed that PHA-related tests no longer fail when CPython is built against AWS-LC

📚 Documentation preview 📚: https://cpython-previews--128036.org.readthedocs.build/

@bedevere-app bedevere-app bot mentioned this pull request Dec 17, 2024
Closed
tomasr8
tomasr8 reviewed Dec 17, 2024
View reviewed changes
Copy link
Member

@tomasr8 tomasr8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will also need a news entry :)

picnixz
picnixz reviewed Dec 17, 2024
View reviewed changes
Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst Outdated
@@ -0,0 +1 @@
TLSv1.3 post-handshake client authentication (PHA), often referred to as "mutual TLS" or "mTLS", allows TLS servers to authenticate client identities using digital certificates. This commit exposes a boolean property ``ssl.HAS_PHA`` to indicate whether the crypto library CPython is built against supports PHA, allowing python's test suite and consuming modules to branch accordingly.
Copy link
Member

@picnixz picnixz Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A shorter NEWS should be written. The NEWS is a message that users will see (it's in the changelog). Some suggestion:

Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3
post-handshake client authentication (PHA). Patch by YOURNAME.

In addition, you should add a What's New entry in Doc/whatsnew/3.14.rst indicating the additional constant. Usually, the same message as for the NEWS entry can be reused (check the other entries for the formatting).

Copy link
Contributor Author

@WillChilds-Klein WillChilds-Klein Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the guidance. I've updated the news and whatsnew files accordingly.

@WillChilds-Klein WillChilds-Klein marked this pull request as ready for review December 17, 2024 21:22
tomasr8
tomasr8 reviewed Dec 17, 2024
View reviewed changes
Doc/whatsnew/3.14.rst Outdated
Comment on lines 73 to 75
* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3
post-handshake client authentication (PHA). (Contributed by Will Childs-Klein in
:gh:`128036`.)
Copy link
Member

@tomasr8 tomasr8 Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should go under Improved modules. You can make a new section for ssl:

ssl
---

* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3
  post-handshake client authentication (PHA). (Contributed by Will Childs-Klein in
  :gh:`128036`.)