From a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Date: Tue, 7 Oct 2025 13:09:33 +0100
Subject: [PATCH] [3.9] gh-121227: Disallow setting an empty list for NPN
 (GH-137161)

---
 Lib/ssl.py                                                  | 2 ++
 Lib/test/test_ssl.py                                        | 6 ++++++
 .../Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst | 2 ++
 3 files changed, 10 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst

diff --git a/Lib/ssl.py b/Lib/ssl.py
index cb5ec51681e1..a78e6acbfbc9 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -520,6 +520,8 @@ class SSLContext(_SSLContext):
 
     def set_npn_protocols(self, npn_protocols):
         protos = bytearray()
+        if not npn_protocols:
+            raise SSLError('NPN protocols must not be empty')
         for protocol in npn_protocols:
             b = bytes(protocol, 'ascii')
             if len(b) == 0 or len(b) > 255:
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index b9163ae0d5e3..a2e771ed7fd6 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -4219,6 +4219,12 @@ class ThreadedTests(unittest.TestCase):
                 if len(stats['server_npn_protocols']) else 'nothing'
             self.assertEqual(server_result, expected, msg % (server_result, "server"))
 
+    def test_empty_npn_protocols(self):
+        """npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227"""
+        client_context, server_context, hostname = testing_context()
+        with self.assertRaises(ssl.SSLError):
+            server_context.set_npn_protocols([])
+
     def sni_contexts(self):
         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
         server_context.load_cert_chain(SIGNED_CERTFILE)
diff --git a/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst
new file mode 100644
index 000000000000..6350f74a396f
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst
@@ -0,0 +1,2 @@
+Raise an :exc:`SSL.SSLError` if an empty *protocols* argument is passed to
+:meth:`ssl.SSLContext.set_npn_protocols` to fix ``CVE-2024-5642``.
-- 
2.47.3