### Subject The change https://github.com/urllib3/urllib3/commit/ae0668899a144edb06c4d2ca9cec96b760a93e6a#diff-f2922ee77cbe0497677cfadf8dff15456050c6670d37d012c9416f37970f0d13R324-R330 introduced when Python 3.7 support was dropped broke TLS 1.3 post_handshake_auth support when a context that was not verifying the server's certificate was being set. Previously the check was ```python if (cert_reqs == ssl.CERT_REQUIRED or sys.version_info >= (3, 7, 4)) and getattr( context, "post_handshake_auth", None ) is not None: context.post_handshake_auth = True ``` Which meant that `context.post_handshake_auth` was being set if Python 3.7.4 or newer was being used regardless of the `cert_reqs` value. With the change in the linked commit the check is now ```python if ( cert_reqs == ssl.CERT_REQUIRED and getattr(context, "post_handshake_auth", None) is not None ): context.post_handshake_auth = True ``` This means it's now only being set if `cert_reqs == ssl.CERT_REQUIRED` so using `ssl.CERT_NONE` to ignore the cert checks breaks this setting. ~~Now that Python 3.8 is the baseline you can just have the `context.post_handshake_auth is not None`~~ Edit: ignore that, looks like SSLContext from pyOpenSSL can be used in some scenario which does not have this attribute so the `getattr` is still needed. See https://github.com/diyan/pywinrm/issues/376#issuecomment-1913759929 for more info. ### Environment Describe your environment. At least, paste here the output of: ```python import platform import ssl import urllib3 print("OS", platform.platform()) print("Python", platform.python_version()) print(ssl.OPENSSL_VERSION) print("urllib3", urllib3.__version__) ``` ``` OS Linux-6.7.1-arch1-1-x86_64-with-glibc2.38 >>> print("Python", platform.python_version()) Python 3.12.0 >>> print(ssl.OPENSSL_VERSION) OpenSSL 3.2.0 23 Nov 2023 >>> print("urllib3", urllib3.__version__) urllib3 2.1.0 ``` ### Steps to Reproduce I unfortunately don't know of a simple web server that provides PHA with TLS 1.3. My tests are against a Windows host with WinRM and Certificate auth which isn't the simplest to setup. ### Expected Behavior Authentication works ### Actual Behavior Authentication fails and the TLS socket is closed by the server because it never receives a certificate from the client.