commit 7d5a3bfd55c7c9de71af877e773dce4554cf455b
author Paul Kehrer <paul.l.kehrer@gmail.com> Mon Jan 21 12:24:02 2019 -0600
committer Alex Gaynor <alex.gaynor@gmail.com> Mon Jan 21 12:24:02 2019 -0600
tree 8a58b2279c0ce53790e06f5e5c29ede75d46f91c
parent 37e6022e8a907ef52a3eba4c53edac8c32bedfc0

Hypothetically fixes pyOpenSSL tests (#805)

* fix openssl CLI testing for 1.1.1

* various 1.1.1 related fixes

some of which are just admitting TLS 1.3 is fundamentally different and
pinning the tests to TLS 1.2

* flake8 fixes

* allow travis_infra env var through

* fix twisted

src/OpenSSL/SSL.py

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 5cf39c0..0687fc3 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1185,6 +1185,19 @@
         _openssl_assert(
             _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1
         )
+        # In OpenSSL 1.1.1 setting the cipher list will always return TLS 1.3
+        # ciphers even if you pass an invalid cipher. Applications (like
+        # Twisted) have tests that depend on an error being raised if an
+        # invalid cipher string is passed, but without the following check
+        # for the TLS 1.3 specific cipher suites it would never error.
+        tmpconn = Connection(self, None)
+        _openssl_assert(
+            tmpconn.get_cipher_list() != [
+                'TLS_AES_256_GCM_SHA384',
+                'TLS_CHACHA20_POLY1305_SHA256',
+                'TLS_AES_128_GCM_SHA256'
+            ]
+        )
 
     def set_client_ca_list(self, certificate_authorities):
         """