From 6db4944cc57804391b554d96f3400944779617f0 Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Mon, 19 Dec 2011 13:27:11 +0100
Subject: Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL
 servers choose the cipher based on their own preferences, rather than on the
 client's.

---
 Doc/library/ssl.rst  | 7 +++++++
 Lib/ssl.py           | 5 ++++-
 Lib/test/test_ssl.py | 1 +
 Misc/NEWS            | 4 ++++
 Modules/_ssl.c       | 2 ++
 5 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 6651a69..69eaf8b 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -421,6 +421,13 @@ Constants
 
    .. versionadded:: 3.2
 
+.. data:: OP_CIPHER_SERVER_PREFERENCE
+
+   Use the server's cipher ordering preference, rather than the client's.
+   This option has no effect on client sockets and SSLv2 server sockets.
+
+   .. versionadded:: 3.3
+
 .. data:: HAS_SNI
 
    Whether the OpenSSL library has built-in support for the *Server Name
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 76f68f0..0cf2fae 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -66,7 +66,10 @@ from _ssl import (
     SSLSyscallError, SSLEOFError,
     )
 from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
-from _ssl import OP_ALL, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
+from _ssl import (
+    OP_ALL, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1,
+    OP_CIPHER_SERVER_PREFERENCE,
+    )
 from _ssl import RAND_status, RAND_egd, RAND_add, RAND_bytes, RAND_pseudo_bytes
 from _ssl import (
     SSL_ERROR_ZERO_RETURN,
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index a2b4040..288b714 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -98,6 +98,7 @@ class BasicSocketTests(unittest.TestCase):
         ssl.CERT_NONE
         ssl.CERT_OPTIONAL
         ssl.CERT_REQUIRED
+        ssl.OP_CIPHER_SERVER_PREFERENCE
         self.assertIn(ssl.HAS_SNI, {True, False})
 
     def test_random(self):
diff --git a/Misc/NEWS b/Misc/NEWS
index 36ce1f4..e04ae7a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -419,6 +419,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
+  choose the cipher based on their own preferences, rather than on the
+  client's.
+
 - Issue #11813: Fix inspect.getattr_static for modules. Patch by Andreas 
   Stührk.
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 5772d90..0f3d2c1 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2450,6 +2450,8 @@ PyInit__ssl(void)
     PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
     PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
     PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
+    PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
+                            SSL_OP_CIPHER_SERVER_PREFERENCE);
 
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
     r = Py_True;
-- 
cgit v0.12