bpo-40968: Send http/1.1 ALPN extension (#20959)

Signed-off-by: Christian Heimes <christian@python.org>
This commit is contained in:
Christian Heimes 2020-11-13 16:37:52 +01:00 committed by GitHub
parent 09490a109f
commit f97406be4c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 17 additions and 0 deletions

View File

@ -99,6 +99,11 @@ The module provides the following classes:
:attr:`ssl.SSLContext.post_handshake_auth` for the default *context* or :attr:`ssl.SSLContext.post_handshake_auth` for the default *context* or
when *cert_file* is passed with a custom *context*. when *cert_file* is passed with a custom *context*.
.. versionchanged:: 3.10
This class now sends an ALPN extension with protocol indicator
``http/1.1`` when no *context* is given. Custom *context* should set
ALPN protocols with :meth:`~ssl.SSLContext.set_alpn_protocol`.
.. deprecated:: 3.6 .. deprecated:: 3.6
*key_file* and *cert_file* are deprecated in favor of *context*. *key_file* and *cert_file* are deprecated in favor of *context*.

View File

@ -109,6 +109,11 @@ The :mod:`urllib.request` module defines the following functions:
.. versionchanged:: 3.4.3 .. versionchanged:: 3.4.3
*context* was added. *context* was added.
.. versionchanged:: 3.10
HTTPS connection now send an ALPN extension with protocol indicator
``http/1.1`` when no *context* is given. Custom *context* should set
ALPN protocols with :meth:`~ssl.SSLContext.set_alpn_protocol`.
.. deprecated:: 3.6 .. deprecated:: 3.6
*cafile*, *capath* and *cadefault* are deprecated in favor of *context*. *cafile*, *capath* and *cadefault* are deprecated in favor of *context*.

View File

@ -1407,6 +1407,9 @@ else:
self.cert_file = cert_file self.cert_file = cert_file
if context is None: if context is None:
context = ssl._create_default_https_context() context = ssl._create_default_https_context()
# send ALPN extension to indicate HTTP/1.1 protocol
if self._http_vsn == 11:
context.set_alpn_protocols(['http/1.1'])
# enable PHA for TLS 1.3 connections if available # enable PHA for TLS 1.3 connections if available
if context.post_handshake_auth is not None: if context.post_handshake_auth is not None:
context.post_handshake_auth = True context.post_handshake_auth = True

View File

@ -202,6 +202,8 @@ def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH,
cafile=cafile, cafile=cafile,
capath=capath) capath=capath)
# send ALPN extension to indicate HTTP/1.1 protocol
context.set_alpn_protocols(['http/1.1'])
https_handler = HTTPSHandler(context=context) https_handler = HTTPSHandler(context=context)
opener = build_opener(https_handler) opener = build_opener(https_handler)
elif context: elif context:

View File

@ -0,0 +1,2 @@
:mod:`urllib.request` and :mod:`http.client` now send ``http/1.1`` ALPN
extension during TLS handshake when no custom context is supplied.