Hypothetically fixes pyOpenSSL tests (#805)

* fix openssl CLI testing for 1.1.1

* various 1.1.1 related fixes

some of which are just admitting TLS 1.3 is fundamentally different and
pinning the tests to TLS 1.2

* flake8 fixes

* allow travis_infra env var through

* fix twisted

1 files changed, 13 insertions, 0 deletions

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 5cf39c0..0687fc3 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1185,6 +1185,19 @@ class Context(object):
         _openssl_assert(
             _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1
         )
+        # In OpenSSL 1.1.1 setting the cipher list will always return TLS 1.3
+        # ciphers even if you pass an invalid cipher. Applications (like
+        # Twisted) have tests that depend on an error being raised if an
+        # invalid cipher string is passed, but without the following check
+        # for the TLS 1.3 specific cipher suites it would never error.
+        tmpconn = Connection(self, None)
+        _openssl_assert(
+            tmpconn.get_cipher_list() != [
+                'TLS_AES_256_GCM_SHA384',
+                'TLS_CHACHA20_POLY1305_SHA256',
+                'TLS_AES_128_GCM_SHA256'
+            ]
+        )
 
     def set_client_ca_list(self, certificate_authorities):
         """