twisted · KaviHarjani · Apr 24, 2024 · Apr 24, 2024 · Apr 25, 2024 · Apr 25, 2024
diff --git a/src/twisted/internet/endpoints.py b/src/twisted/internet/endpoints.py
@@ -1382,6 +1382,7 @@ def _parseSSL(
  privateKey="server.pem",
  certKey=None,
  sslmethod=None,
+ cipher=None,
  interface="",
  backlog=50,
  extraCertChain=None,
@@ -1414,6 +1415,12 @@ def _parseSSL(
  constant in C{OpenSSL.SSL}.
  @type sslmethod: C{str}
 
+ @param cipher: A string containing a list of cipher values, formatted as comma-separated values,
+ These values can be obtained from the OpenSSL documentation at
+ https://www.openssl.org/docs/man1.0.2/man1/ciphers.html.
+ This parameter is optional and can be used to restrict the ciphers supported by your server.
+ @type cipher: C{str}
+
  @param extraCertChain: The path of a file containing one or more
  certificates in PEM format that establish the chain from a root CA to
  the CA that signed your C{certKey}.
@@ -1466,6 +1473,13 @@ def _parseSSL(
  dhParameters=dhParameters,
  **kw,
  )
+ if cipher:
+ cipherBytes = cipher.replace(",", ":").encode("ascii")
+ try:
+ cf.getContext().set_cipher_list(cipherBytes)
+ except SSLError:
+ pass
+
  return ((int(port), factory, cf), {"interface": interface, "backlog": int(backlog)})
 
 
@@ -1768,6 +1782,13 @@ def serverFromString(reactor, description):
  file name (C{certKey}) isn't provided, the private key file is assumed to
  contain the certificate as well.
 
+ For custom cipher list, you can make use of the 'cipher' keyword and a comma seperated
+ string as below::
+
+ serverFromString(
+ reactor, "ssl:443:privateKey=key.pem:certKey=crt.pem:cipher=ALL,!ADH,@STRENGTH,+RSA,-DSA,SHA1+DES"
+ )
+
  You may escape colons in arguments with a backslash, which you will need to
  use if you want to specify a full pathname argument on Windows::
 

diff --git a/src/twisted/internet/test/test_endpoints.py b/src/twisted/internet/test/test_endpoints.py
@@ -3259,6 +3259,44 @@ def test_sslNoTrailingNewlinePem(self):
  ctx = server._sslContextFactory.getContext()
  self.assertIsInstance(ctx, ContextType)
 
+ @skipIf(skipSSL, skipSSLReason)
+ def test_sslWithCustomCipher(self):
+ """
+ A cipher list is supported, using the OpenSSL format.
+ The colon (:) from the OpenSSL format is replaced with a comma (,).
+
+ This test does not provides much functionality coverage as there is no API to retrieve the current configured ciper list.
+ Testing this functionality requires doing a TLS handshake.
+ """
+ reactor = object()
+ server = endpoints.serverFromString(
+ reactor,
+ "ssl:1234:privateKey=%s:"
+ "certKey=%s:cipher=ALL,!ADH,@STRENGTH,+RSA,-DSA,SHA1+DES"
+ % (escapedPEMPathName, escapedPEMPathName),
+ )
+
+ self.assertIsInstance(server, endpoints.SSL4ServerEndpoint)
+ ctx = server._sslContextFactory.getContext()
+ self.assertIsInstance(ctx, ContextType)
+
+ @skipIf(skipSSL, skipSSLReason)
+ def test_sslInvalidCustomCipher(self):
+ """
+ A cipher list is supported, using the OpenSSL format.
+ The colon (:) from the OpenSSL format is replaced with a comma (,).
+ """
+ reactor = object()
+
+ self.assertRaises(
+ endpoints.serverFromString(
+ reactor,
+ "ssl:1234:privateKey=%s:"
+ "certKey=%s:cipher=bla, blah"
+ % (escapedPEMPathName, escapedPEMPathName),
+ )
+ )
+
  def test_unix(self):
  """
  When passed a UNIX strports description, L{endpoint.serverFromString}

diff --git a/src/twisted/newsfragments/12134.feature b/src/twisted/newsfragments/12134.feature
@@ -0,0 +1 @@
+twisted.internet.endpoint.serverFromString now supports defining a cipher list.