103 lines
3.5 KiB
Diff
103 lines
3.5 KiB
Diff
From df2480da2c65cf0ddb0427803edbc04516fc237f Mon Sep 17 00:00:00 2001
|
|
From: Mark Williams <mrw@enotuniq.org>
|
|
Date: Thu, 14 Feb 2019 19:30:07 -0800
|
|
Subject: [PATCH] Raise an Error with "no cipher match" even with TLS 1.3
|
|
(#818)
|
|
|
|
* Raise an Error with "no cipher match" even with TLS 1.3
|
|
|
|
This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString
|
|
and seamlessly work with TLS 1.3:
|
|
|
|
https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767
|
|
|
|
* Split TestContext.test_set_cipher_list_wrong_args into two tests.
|
|
---
|
|
src/OpenSSL/SSL.py | 15 ++++++++++++---
|
|
tests/test_ssl.py | 31 ++++++++++++++++++++++---------
|
|
2 files changed, 34 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
|
|
index 5d07b26..de49cf9 100644
|
|
--- a/src/OpenSSL/SSL.py
|
|
+++ b/src/OpenSSL/SSL.py
|
|
@@ -1196,13 +1196,23 @@ class Context(object):
|
|
# invalid cipher string is passed, but without the following check
|
|
# for the TLS 1.3 specific cipher suites it would never error.
|
|
tmpconn = Connection(self, None)
|
|
- _openssl_assert(
|
|
- tmpconn.get_cipher_list() != [
|
|
- 'TLS_AES_256_GCM_SHA384',
|
|
- 'TLS_CHACHA20_POLY1305_SHA256',
|
|
- 'TLS_AES_128_GCM_SHA256'
|
|
- ]
|
|
- )
|
|
+ if (
|
|
+ tmpconn.get_cipher_list() == [
|
|
+ 'TLS_AES_256_GCM_SHA384',
|
|
+ 'TLS_CHACHA20_POLY1305_SHA256',
|
|
+ 'TLS_AES_128_GCM_SHA256',
|
|
+ 'TLS_AES_128_CCM_SHA256'
|
|
+ ]
|
|
+ ):
|
|
+ raise Error(
|
|
+ [
|
|
+ (
|
|
+ 'SSL routines',
|
|
+ 'SSL_CTX_set_cipher_list',
|
|
+ 'no cipher match',
|
|
+ ),
|
|
+ ],
|
|
+ )
|
|
|
|
def set_client_ca_list(self, certificate_authorities):
|
|
"""
|
|
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
|
|
index 38511a4..986463a 100644
|
|
--- a/tests/test_ssl.py
|
|
+++ b/tests/test_ssl.py
|
|
@@ -410,18 +410,31 @@ class TestContext(object):
|
|
|
|
assert "AES128-SHA" in conn.get_cipher_list()
|
|
|
|
- @pytest.mark.parametrize("cipher_list,error", [
|
|
- (object(), TypeError),
|
|
- ("imaginary-cipher", Error),
|
|
- ])
|
|
- def test_set_cipher_list_wrong_args(self, context, cipher_list, error):
|
|
+ def test_set_cipher_list_wrong_type(self, context):
|
|
"""
|
|
`Context.set_cipher_list` raises `TypeError` when passed a non-string
|
|
- argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher
|
|
- list string.
|
|
+ argument.
|
|
"""
|
|
- with pytest.raises(error):
|
|
- context.set_cipher_list(cipher_list)
|
|
+ with pytest.raises(TypeError):
|
|
+ context.set_cipher_list(object())
|
|
+
|
|
+ def test_set_cipher_list_no_cipher_match(self, context):
|
|
+ """
|
|
+ `Context.set_cipher_list` raises `OpenSSL.SSL.Error` with a
|
|
+ `"no cipher match"` reason string regardless of the TLS
|
|
+ version.
|
|
+ """
|
|
+ with pytest.raises(Error) as excinfo:
|
|
+ context.set_cipher_list(b"imaginary-cipher")
|
|
+ assert excinfo.value.args == (
|
|
+ [
|
|
+ (
|
|
+ 'SSL routines',
|
|
+ 'SSL_CTX_set_cipher_list',
|
|
+ 'no cipher match',
|
|
+ ),
|
|
+ ],
|
|
+ )
|
|
|
|
def test_load_client_ca(self, context, ca_file):
|
|
"""
|
|
--
|
|
2.21.0.windows.1
|
|
|