Raise an Error with "no cipher match" even with TLS 1.3 (#818)

* Raise an Error with "no cipher match" even with TLS 1.3 This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString and seamlessly work with TLS 1.3: https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767 * Split TestContext.test_set_cipher_list_wrong_args into two tests.
author: Mark Williams <mrw@enotuniq.org> 2019-02-14 19:30:07 -0800
committer: Alex Gaynor <alex.gaynor@gmail.com> 2019-02-14 22:30:07 -0500
commit: df2480da2c65cf0ddb0427803edbc04516fc237f (patch)
tree: 914c63ef539fac11414b51f97a9a865315b9331a
parent: ca749b54ecca378e704ede349c9c9930732af877 (diff)
download: pyopenssl-git-df2480da2c65cf0ddb0427803edbc04516fc237f.tar.gz
2 files changed, 34 insertions, 12 deletions
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 5d07b26..de49cf9 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1189,13 +1189,22 @@ class Context(object):
         # invalid cipher string is passed, but without the following check
         # for the TLS 1.3 specific cipher suites it would never error.
         tmpconn = Connection(self, None)
-        _openssl_assert(
-            tmpconn.get_cipher_list() != [
+        if (
+            tmpconn.get_cipher_list() == [
                 'TLS_AES_256_GCM_SHA384',
                 'TLS_CHACHA20_POLY1305_SHA256',
                 'TLS_AES_128_GCM_SHA256'
             ]
-        )
+        ):
+            raise Error(
+                [
+                    (
+                        'SSL routines',
+                        'SSL_CTX_set_cipher_list',
+                        'no cipher match',
+                    ),
+                ],
+            )
 
     def set_client_ca_list(self, certificate_authorities):
         """
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 38511a4..986463a 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -410,18 +410,31 @@ class TestContext(object):
 
         assert "AES128-SHA" in conn.get_cipher_list()
 
-    @pytest.mark.parametrize("cipher_list,error", [
-        (object(), TypeError),
-        ("imaginary-cipher", Error),
-    ])
-    def test_set_cipher_list_wrong_args(self, context, cipher_list, error):
+    def test_set_cipher_list_wrong_type(self, context):
         """
         `Context.set_cipher_list` raises `TypeError` when passed a non-string
-        argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher
-        list string.
+        argument.
         """
-        with pytest.raises(error):
-            context.set_cipher_list(cipher_list)
+        with pytest.raises(TypeError):
+            context.set_cipher_list(object())
+
+    def test_set_cipher_list_no_cipher_match(self, context):
+        """
+        `Context.set_cipher_list` raises `OpenSSL.SSL.Error` with a
+        `"no cipher match"` reason string regardless of the TLS
+        version.
+        """
+        with pytest.raises(Error) as excinfo:
+            context.set_cipher_list(b"imaginary-cipher")
+        assert excinfo.value.args == (
+                [
+                    (
+                        'SSL routines',
+                        'SSL_CTX_set_cipher_list',
+                        'no cipher match',
+                    ),
+                ],
+            )
 
     def test_load_client_ca(self, context, ca_file):
         """
author	Mark Williams <mrw@enotuniq.org>	2019-02-14 19:30:07 -0800
committer	Alex Gaynor <alex.gaynor@gmail.com>	2019-02-14 22:30:07 -0500
commit	df2480da2c65cf0ddb0427803edbc04516fc237f (patch)
tree	914c63ef539fac11414b51f97a9a865315b9331a
parent	ca749b54ecca378e704ede349c9c9930732af877 (diff)
download	pyopenssl-git-df2480da2c65cf0ddb0427803edbc04516fc237f.tar.gz