Restore context.set_ciphers() to create_urllib3_context() (#1463)

3 files changed, 22 insertions, 0 deletions

diff --git a/CHANGES.rst b/CHANGES.rst
index f6dc184b..186099d3 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -6,6 +6,8 @@ dev (master)
 
 * Remove quadratic behavior within ``GzipDecoder.decompress()`` (Issue #1467)
 
+* Restored functionality of `ciphers` parameter for `create_urllib3_context()`. (Issue #1462)
+
 * ... [Short description of non-trivial change.] (Issue #)
 
 
diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
index 24ee26d6..64ea192a 100644
--- a/src/urllib3/util/ssl_.py
+++ b/src/urllib3/util/ssl_.py
@@ -263,6 +263,8 @@ def create_urllib3_context(ssl_version=None, cert_reqs=None,
     """
     context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23)
 
+    context.set_ciphers(ciphers or DEFAULT_CIPHERS)
+
     # Setting the default here, as we may have no ssl module on import
     cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
 
diff --git a/test/test_ssl.py b/test/test_ssl.py
index 76a50259..47359717 100644
--- a/test/test_ssl.py
+++ b/test/test_ssl.py
@@ -70,3 +70,21 @@ def test_sni_missing_warning_with_ip_addresses(monkeypatch, has_sni, server_host
         assert SNIMissingWarning in warnings
     else:
         assert warn.call_count == 0
+
+
+@pytest.mark.parametrize(
+    ["ciphers", "expected_ciphers"],
+    [(None, ssl_.DEFAULT_CIPHERS),
+     ("ECDH+AESGCM:ECDH+CHACHA20", "ECDH+AESGCM:ECDH+CHACHA20")]
+)
+def test_create_urllib3_context_set_ciphers(monkeypatch, ciphers, expected_ciphers):
+
+    context = mock.create_autospec(ssl_.SSLContext)
+    context.set_ciphers = mock.Mock()
+    context.options = 0
+    monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
+
+    assert ssl_.create_urllib3_context(ciphers=ciphers) is context
+
+    assert context.set_ciphers.call_count == 1
+    assert context.set_ciphers.call_args == mock.call(expected_ciphers)