Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added set_ciphersuites() API #963

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added set_ciphersuites() API #963

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
63c5ac5
Added set_ciphersuites() API
Nov 26, 2020
4f4e2aa
Add PR number
Nov 26, 2020
c71a1c7
Fix link
Nov 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ Deprecations:

Changes:
^^^^^^^^

- Added the ``OpenSSL.SSL.Context.set_ciphersuites`` method to
allow setting the TLS 1.3 ciphersuites.
`#963 <https://github.com/pyca/pyopenssl/pull/963>`_
- Added a new optional ``chain`` parameter to ``OpenSSL.crypto.X509StoreContext()``
where additional untrusted certificates can be specified to help chain building.
`#948 <https://github.com/pyca/pyopenssl/pull/948>`_
Expand Down
19 changes: 19 additions & 0 deletions src/OpenSSL/SSL.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1129,6 +1129,25 @@ def set_cipher_list(self, cipher_list):
],
)

def set_ciphersuites(self, ciphersuites):
"""
Set the list of TLS 1.3 ciphersuites to be used in this context.

See the OpenSSL manual for more information (e.g.
:manpage:`ciphers(1)`).

:param bytes ciphersuites: An OpenSSL ciphersuites string.
:return: None
"""
ciphersuites = _text_to_bytes_and_warn("ciphersuites", ciphersuites)

if not isinstance(ciphersuites, bytes):
raise TypeError("ciphersuites must be a byte string.")

_openssl_assert(
_lib.SSL_CTX_set_ciphersuites(self._context, ciphersuites) == 1
)

def set_client_ca_list(self, certificate_authorities):
"""
Set the list of preferred client certificate signers for this server
Expand Down
23 changes: 23 additions & 0 deletions tests/test_ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,29 @@ def test_set_cipher_list_no_cipher_match(self, context):
],
)

@pytest.mark.parametrize(
"ciphersuites",
[b"TLS_AES_256_GCM_SHA384", u"TLS_AES_256_GCM_SHA384"],
)
def test_set_ciphersuites(self, context, ciphersuites):
"""
`Context.set_ciphersuites` accepts both byte and unicode strings
for naming the ciphers which connections created with the context
object will be able to choose from.
"""
context.set_ciphersuites(ciphersuites)
conn = Connection(context, None)

assert "TLS_AES_256_GCM_SHA384" in conn.get_cipher_list()

def test_set_ciphersuites_wrong_type(self, context):
"""
`Context.set_ciphersuites` raises `TypeError` when passed a non-string
argument.
"""
with pytest.raises(TypeError):
context.set_ciphersuites(object())

def test_load_client_ca(self, context, ca_file):
"""
`Context.load_client_ca` works as far as we can tell.
Expand Down