SSL_CTX_set_ciphersuites for tlsv3 context

pyca · Jun 25, 2024 · f84b711 · f84b711
1 parent caa1ab3
commit f84b711
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 3 deletions.
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
@@ -1343,6 +1343,26 @@ def set_tmp_ecdh(self, curve: _EllipticCurve) -> None:
         """
         _lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())
 
+    def set_ciphersuites(self, cipher_list: bytes) -> None:
+        """
+        Set the list of ciphers to be used to configure the available TLSv1.3
+        ciphersuites for this context.
+
+        See the OpenSSL manual for more information (e.g.
+        :manpage:`ciphers(1)`).
+
+        :param bytes cipher_list: An OpenSSL cipher string.
+        :return: None
+        """
+        cipher_list = _text_to_bytes_and_warn("cipher_list", cipher_list)
+
+        if not isinstance(cipher_list, bytes):
+            raise TypeError("cipher_list must be a byte string.")
+
+        _openssl_assert(
+            _lib.SSL_CTX_set_ciphersuites(self._context, cipher_list) == 1
+        )
+
     def set_cipher_list(self, cipher_list: bytes) -> None:
         """
         Set the list of ciphers to be used in this context.

diff --git a/tests/test_ssl.py b/tests/test_ssl.py
@@ -486,6 +486,24 @@ class TestContext:
     Unit tests for `OpenSSL.SSL.Context`.
     """
 
+    @pytest.mark.parametrize(
+        "cipher_string",
+        [
+            b"hello world:TLS_AES_128_GCM_SHA256",
+            "hello world:TLS_AES_128_GCM_SHA256",
+        ],
+    )
+    def test_set_ciphersuites(self, context, cipher_string):
+        """
+        `Context.set_ciphersuites` accepts both byte and unicode strings
+        for naming the ciphers which connections created with the context
+        object will be able to choose from.
+        """
+        context.set_ciphersuites(cipher_string)
+        conn = Connection(context, None)
+
+        assert "TLS_AES_128_GCM_SHA256" in conn.get_cipher_list()
+
     @pytest.mark.parametrize(
         "cipher_string",
         [b"hello world:AES128-SHA", "hello world:AES128-SHA"],
@@ -501,14 +519,22 @@ def test_set_cipher_list(self, context, cipher_string):
 
         assert "AES128-SHA" in conn.get_cipher_list()
 
-    def test_set_cipher_list_wrong_type(self, context):
+    def test_set_cipher_wrong_type(self, context):
         """
-        `Context.set_cipher_list` raises `TypeError` when passed a non-string
-        argument.
+        `Context.set_cipher_list` raises `TypeError` when
+         passed a non-string argument.
         """
         with pytest.raises(TypeError):
             context.set_cipher_list(object())
 
+    def test_set_ciphersuites_wrong_type(self, context):
+        """
+        `Context.set_ciphersuites` raises `TypeError` when
+         passed a non-string argument.
+        """
+        with pytest.raises(TypeError):
+            context.set_ciphersuites(object())
+
     @pytest.mark.flaky(reruns=2)
     def test_set_cipher_list_no_cipher_match(self, context):
         """