pythongh-128035: Add ssl.HAS_PHA to detect libssl PHA support (pythonGH-128036)

WillChilds-Klein · tomasr8 · picnixz · srinivasreddy · commit 8ad4e87ae6eb · 2025-01-08T11:37:59.000+05:30
* Add ssl.HAS_PHA to detect libssl Post-Handshake-Auth support

Co-authored-by: Tomas R. &lt;tomas.roun8@gmail.com&gt;
Co-authored-by: Bénédikt Tran &lt;10796600+picnixz@users.noreply.github.com&gt;
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
@@ -934,6 +934,12 @@ Constants
 
    .. versionadded:: 3.13
 
+.. data:: HAS_PHA
+
+   Whether the OpenSSL library has built-in support for TLS-PHA.
+
+   .. versionadded:: next
+
 .. data:: CHANNEL_BINDING_TYPES
 
    List of supported TLS channel binding types.  Strings in this list
diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst
@@ -584,6 +584,14 @@ pydoc
   (Contributed by Jelle Zijlstra in :gh:`101552`.)
 
 
+ssl
+---
+
+* Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports
+  TLSv1.3 post-handshake client authentication (PHA).
+  (Contributed by Will Childs-Klein in :gh:`128036`.)
+
+
 symtable
 --------
 
diff --git a/Lib/ssl.py b/Lib/ssl.py
@@ -116,7 +116,7 @@
 
 from _ssl import (
     HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
-    HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK
+    HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA
 )
 from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION
 
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
@@ -2073,8 +2073,8 @@ def test_host_port(self):
 
     def test_tls13_pha(self):
         import ssl
-        if not ssl.HAS_TLSv1_3:
-            self.skipTest('TLS 1.3 support required')
+        if not ssl.HAS_TLSv1_3 or not ssl.HAS_PHA:
+            self.skipTest('TLS 1.3 PHA support required')
         # just check status of PHA flag
         h = client.HTTPSConnection('localhost', 443)
         self.assertTrue(h._context.post_handshake_auth)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -4494,7 +4494,8 @@ def server_callback(identity):
                 s.connect((HOST, server.port))
 
 
-@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
+@unittest.skipUnless(has_tls_version('TLSv1_3') and ssl.HAS_PHA,
+                     "Test needs TLS 1.3 PHA")
 class TestPostHandshakeAuth(unittest.TestCase):
     def test_pha_setter(self):
         protocols = [
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-17-18-20-37.gh-issue-128035.JwqHdB.rst
@@ -0,0 +1 @@
+Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 post-handshake client authentication (PHA). Patch by Will Childs-Klein.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -6553,6 +6553,12 @@ sslmodule_init_constants(PyObject *m)
     addbool(m, "HAS_PSK", 1);
 #endif
 
+#ifdef SSL_VERIFY_POST_HANDSHAKE
+    addbool(m, "HAS_PHA", 1);
+#else
+    addbool(m, "HAS_PHA", 0);
+#endif
+
 #undef addbool
 #undef ADD_INT_CONST
 

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@`
`116`	`116`
`117`	`117`	`from _ssl import (`
`118`	`118`	`HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,`
`119`		`- HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK`
	`119`	`+ HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3, HAS_PSK, HAS_PHA`
`120`	`120`	`)`
`121`	`121`	`from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION`
`122`	`122`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Indicate through :data:`ssl.HAS_PHA` whether the :mod:`ssl` module supports TLSv1.3 post-handshake client authentication (PHA). Patch by Will Childs-Klein.