bpo-37428: Don't set PHA verify flag on client side (GH-14421)

SSLContext.post_handshake_auth = True no longer sets SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the option is documented as ignored for clients, OpenSSL implicitly enables cert chain validation when the flag is set. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue37428
author: Christian Heimes <christian@python.org> 2019-07-01 06:29:17 (GMT)
committer: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2019-07-01 06:29:17 (GMT)
commit: f0f5930ac88482ef896283db5be9b8d508d077db (patch)
tree: 1dbfd07ab81c76c959ac6b461093ac55d8b3bd84 /Misc
parent: 12b436e3b079fb3e3a7197c089df90a77e3bdd77 (diff)
download: cpython-f0f5930ac88482ef896283db5be9b8d508d077db.zip
cpython-f0f5930ac88482ef896283db5be9b8d508d077db.tar.gz
cpython-f0f5930ac88482ef896283db5be9b8d508d077db.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Library/2019-06-27-13-27-02.bpo-37428._wcwUd.rst b/Misc/NEWS.d/next/Library/2019-06-27-13-27-02.bpo-37428._wcwUd.rst
new file mode 100644
index 0000000..2cdce6b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-06-27-13-27-02.bpo-37428._wcwUd.rst
@@ -0,0 +1,4 @@
+SSLContext.post_handshake_auth = True no longer sets
+SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
+option is documented as ignored for clients, OpenSSL implicitly enables cert
+chain validation when the flag is set.
author	Christian Heimes <christian@python.org>	2019-07-01 06:29:17 (GMT)
committer	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2019-07-01 06:29:17 (GMT)
commit	f0f5930ac88482ef896283db5be9b8d508d077db (patch)
tree	1dbfd07ab81c76c959ac6b461093ac55d8b3bd84 /Misc
parent	12b436e3b079fb3e3a7197c089df90a77e3bdd77 (diff)
download	cpython-f0f5930ac88482ef896283db5be9b8d508d077db.zip cpython-f0f5930ac88482ef896283db5be9b8d508d077db.tar.gz cpython-f0f5930ac88482ef896283db5be9b8d508d077db.tar.bz2