Comment 34 for bug 1865900

Revision history for this message
Ken Dreyer (Red Hat) (kdreyer-redhat) wrote :

Focal's curl 7.68.0-1ubuntu2.6 now supports post-handshake client authentication.

curl \
  --tls-max 1.2 \
  --cacert ~/.koji/pki/koji-ca.crt \
  --cert ~/koji-ansible/koji-tools/admin.crt \
  --key ~/koji-ansible/koji-tools/admin.key \

However, python-requests on Focal or Groovy still cannot do post-handshake client auth with the default SSLProtocol setting. Sample Python script:

  import requests

  r = requests.get('https://localhost/kojihub/ssllogin',

 The Apache error logs say:

  [ssl:error] AH10158: cannot perform post-handshake authentication
  [ssl:error] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

Applying or updating to hirsute's python3-requests_2.25.1+dfsg-2 does work.