In earlier TLS versions, OpenSSL allows renegotiation after the initial handshake by default, but with TLSv1.3 the limited form of "reneg" supported - post-handshake client-authentication - is not enabled by default. This PR fixes that so TLSv1.3 behaviour is similar to TLSv1.2 and before.
This is important to allow HTTPS server configurations where specific URI paths are protected by client-cert auth, although "/" is not - and hence a client cert is not required in the initial handshake.
This enables PHA for TLSv1.3 client-side where support is present in Net::SSLeay - see https://github.com/radiator-software/p5-net-ssleay/pull/68
In earlier TLS versions, OpenSSL allows renegotiation after the initial handshake by default, but with TLSv1.3 the limited form of "reneg" supported - post-handshake client-authentication - is not enabled by default. This PR fixes that so TLSv1.3 behaviour is similar to TLSv1.2 and before.
This is important to allow HTTPS server configurations where specific URI paths are protected by client-cert auth, although "/" is not - and hence a client cert is not required in the initial handshake.