Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers

choose the cipher based on their own preferences, rather than on the
client's.

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 6651a69c08c4e5541c8c5e55755e1ea2864ffff0..69eaf8b9302bbdb03cdb312efcd9059accfa2fc3 100644 (file)
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -421,6 +421,13 @@ Constants
 
    .. versionadded:: 3.2
 
+.. data:: OP_CIPHER_SERVER_PREFERENCE
+
+   Use the server's cipher ordering preference, rather than the client's.
+   This option has no effect on client sockets and SSLv2 server sockets.
+
+   .. versionadded:: 3.3
+
 .. data:: HAS_SNI
 
    Whether the OpenSSL library has built-in support for the *Server Name

diff --git a/Lib/ssl.py b/Lib/ssl.py
index 76f68f0020b9a9254661208a07b3d3f92481be53..0cf2fae63362805aa6b7609aada8ff36ee607efb 100644 (file)
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -66,7 +66,10 @@ from _ssl import (
     SSLSyscallError, SSLEOFError,
     )
 from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
-from _ssl import OP_ALL, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
+from _ssl import (
+    OP_ALL, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1,
+    OP_CIPHER_SERVER_PREFERENCE,
+    )
 from _ssl import RAND_status, RAND_egd, RAND_add, RAND_bytes, RAND_pseudo_bytes
 from _ssl import (
     SSL_ERROR_ZERO_RETURN,

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index a2b4040a9c452a548269acc5f7fcb7ee3d866d24..288b714cebc4e83c5c574a2cb3760d8fc66bb219 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -98,6 +98,7 @@ class BasicSocketTests(unittest.TestCase):
         ssl.CERT_NONE
         ssl.CERT_OPTIONAL
         ssl.CERT_REQUIRED
+        ssl.OP_CIPHER_SERVER_PREFERENCE
         self.assertIn(ssl.HAS_SNI, {True, False})
 
     def test_random(self):

diff --git a/Misc/NEWS b/Misc/NEWS
index 36ce1f4d8942acfc8c1bb6e28ae4d9e28bade1f2..e04ae7aab1934acada85710c8a5e2c35b4e2d206 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -419,6 +419,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
+  choose the cipher based on their own preferences, rather than on the
+  client's.
+
 - Issue #11813: Fix inspect.getattr_static for modules. Patch by Andreas 
   Stührk.
 

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 5772d901de75219ada6a5649a39c636bb029bd73..0f3d2c139e68323483e61e0d5298716605946e4d 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2450,6 +2450,8 @@ PyInit__ssl(void)
     PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
     PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
     PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
+    PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
+                            SSL_OP_CIPHER_SERVER_PREFERENCE);
 
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
     r = Py_True;