Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / df2480da2c65cf0ddb0427803edbc04516fc237f^! / . / src / OpenSSL / SSL.py
commitdf2480da2c65cf0ddb0427803edbc04516fc237f[log] [tgz]
authorMark Williams <mrw@enotuniq.org>Thu Feb 14 19:30:07 2019 -0800
committerAlex Gaynor <alex.gaynor@gmail.com>Thu Feb 14 22:30:07 2019 -0500
tree914c63ef539fac11414b51f97a9a865315b9331a
parentca749b54ecca378e704ede349c9c9930732af877 [diff] [blame]
Raise an Error with "no cipher match" even with TLS 1.3 (#818)

* Raise an Error with "no cipher match" even with TLS 1.3

This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString
and seamlessly work with TLS 1.3:

https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767

* Split TestContext.test_set_cipher_list_wrong_args into two tests.

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 5d07b26..de49cf9 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py

@@ -1189,13 +1189,22 @@
         # invalid cipher string is passed, but without the following check
         # for the TLS 1.3 specific cipher suites it would never error.
         tmpconn = Connection(self, None)
-        _openssl_assert(
-            tmpconn.get_cipher_list() != [
+        if (
+            tmpconn.get_cipher_list() == [
                 'TLS_AES_256_GCM_SHA384',
                 'TLS_CHACHA20_POLY1305_SHA256',
                 'TLS_AES_128_GCM_SHA256'
             ]
-        )
+        ):
+            raise Error(
+                [
+                    (
+                        'SSL routines',
+                        'SSL_CTX_set_cipher_list',
+                        'no cipher match',
+                    ),
+                ],
+            )
 
     def set_client_ca_list(self, certificate_authorities):
         """