Add ssl.HAS_PHA to detect libssl PHA support
Opened this issue · 0 comments
Feature or enhancement
Proposal:
TLSv1.3 post-handshake client authentication (PHA), often referred to as "mutual TLS" or "mTLS", allows TLS servers to authenticate client identities using digital certificates. Some TLS libraries do not implement PHA, including actively maintained and widely used libraries such as AWS-LC and BoringSSL.
This issue proposes the addition of a boolean property ssl.HAS_PHA to indicate whether the crypto library CPython is built against supports PHA, allowing python's test suite and consuming modules to branch accordingly.
This feature has precedent in the ssl.HAS_PSK flag indicating support for another TLS feature that is not universally implemented across TLS libraries.
Has this already been discussed elsewhere?
This is a minor feature, which does not need previous discussion elsewhere
Links to previous discussion of this feature:
Related changes to increase libcrypto/libssl compatibility (specifically with AWS-LC) have been discussed with the community here.