From 5dc698861c91b4aa83b284b282c0e91cdcee49a3 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Wed, 10 Mar 2021 22:35:24 +0100
Subject: Add SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version
 bindings (#985)

* add Context.set_*_proto_version, fix #860

* docs: add new openssl tls methods

* accept the fact that nothing can be taken for granted

* bump minimum required cryptography version to 3.3

* drop support for Python 3.5

* use binary wheels for cryptography

* Revert "use binary wheels for cryptography"

This reverts commit 91a04c612ed1d0dd9fd541dfefe21cac7c25b1c1.

* docker ci: compile cryptography with rust
---
 tests/test_ssl.py | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 27f2d43..e79d9fa 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -48,7 +48,14 @@ from OpenSSL.crypto import dump_privatekey, load_privatekey
 from OpenSSL.crypto import dump_certificate, load_certificate
 from OpenSSL.crypto import get_elliptic_curves
 
-from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS
+from OpenSSL.SSL import (
+    OPENSSL_VERSION_NUMBER,
+    SSLEAY_VERSION,
+    SSLEAY_CFLAGS,
+    TLS_METHOD,
+    TLS1_2_VERSION,
+    TLS1_1_VERSION,
+)
 from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON
 from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN
 from OpenSSL.SSL import (
@@ -1039,6 +1046,25 @@ class TestContext(object):
         assert all(isinstance(conn, Connection) for conn, line in called)
         assert all(b"CLIENT_RANDOM" in line for conn, line in called)
 
+    def test_set_proto_version(self):
+        server_context = Context(TLS_METHOD)
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+        server_context.set_min_proto_version(TLS1_2_VERSION)
+
+        client_context = Context(TLS_METHOD)
+        client_context.set_max_proto_version(TLS1_1_VERSION)
+
+        with pytest.raises(Error, match="unsupported protocol"):
+            self._handshake_test(server_context, client_context)
+
+        client_context.set_max_proto_version(0)
+        self._handshake_test(server_context, client_context)
+
     def _load_verify_locations_test(self, *args):
         """
         Create a client context which will verify the peer certificate and call
-- 
cgit v1.2.1