Comment 34 for bug 1865900

Focal's curl 7.68.0-1ubuntu2.6 now supports post-handshake client authentication.

curl \
  --tls-max 1.2 \
  --cacert ~/.koji/pki/koji-ca.crt \
  --cert ~/koji-ansible/koji-tools/admin.crt \
  --key ~/koji-ansible/koji-tools/admin.key \
  https://localhost/kojihub/ssllogin

However, python-requests on Focal or Groovy still cannot do post-handshake client auth with the default SSLProtocol setting. Sample Python script:

  import requests

  r = requests.get('https://localhost/kojihub/ssllogin',
                   verify='.koji/pki/koji-ca.crt',
                   cert=('koji-ansible/koji-tools/admin.crt',
                         'koji-ansible/koji-tools/admin.key'))
  r.raise_for_status()

 The Apache error logs say:

  [ssl:error] AH10158: cannot perform post-handshake authentication
  [ssl:error] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

Applying https://github.com/psf/requests/commit/db47b9b4a0c5877fb97f64ac442757604c4c45cc or updating to hirsute's python3-requests_2.25.1+dfsg-2 does work.