On 29/06/2019 21.53, Ned Deily wrote:
On Jun 6, 2019, at 01:43, Ned Deily email@example.com wrote:
https://discuss.python.org/t/python-3-7-4rc1-and-3-6-9rc1-cutoffs-ahead-now-... [...] Following the rc1 cutoff, changes merged to the 3.7 branch will be released in 3.7.5 three months from now unless you mark the issue as a release blocker prior to **3.7.4 final**, planned for release on **2019-06-28**, and explain why the change should be cherry-picked into the final release.
Update: 3.7.4 final is delayed at least a few days
A few last minute release blocker issues were identified shortly before 3.7.4 final was about to tagged as planned on 2019-06-28, in particular, a couple of TLS 1.3 issues which are of particular importance since we are migrating Windows and macOS installers to OpenSSL 1.1.1 with this release. We are now on hold awaiting resolutions for the remaining items and then we will need to decide whether another release candidate is needed. I am hopeful we will be able to proceed by Monday 2019-07-01; I will keep you updated. And thanks for your help!
the issues are related to TLS 1.3 and client cert authentication. TLS 1.3 dropped renegotiation in favor of rekeying and post-handshake authentication. PHA is required for conditional authentication in HTTP, e.g. when a server only requires authentication for some paths or request methods.
PR https://github.com/python/cpython/pull/14421 fixes a regression in my PHA code for Python's ssl module. OpenSSL behaves slightly differently than documented. SSLContext.post_handshake_auth = True also enabled server cert validation. Alex has reviewed the PR but likes to have a second opinion.
PR https://github.com/python/cpython/pull/14448 enables PHA for http.client.