Merge pull request #539 from tlsfuzzer/no-brainpool-in-tls1.3

don't negotiate legacy brainpool IDs in TLS 1.3
tlsfuzzer · Jan 7, 2025 · 6bd403a · 6bd403a
2 parents 831c694 + ecc8441
commit 6bd403a
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -4014,7 +4014,10 @@ def _serverGetClientHello(self, settings, private_key, cert_chain,
                 share_ids = [i.group for i in share.client_shares]
                 acceptable_ids = [getattr(GroupName, i) for i in
                                   chain(settings.keyShares, settings.eccCurves,
-                                        settings.dhGroups)]
+                                        settings.dhGroups)
+                                  if i not in ("brainpoolP512r1",
+                                               "brainpoolP384r1",
+                                               "brainpoolP256r1")]
                 for selected_group in acceptable_ids:
                     if selected_group in share_ids:
                         cl_key_share = next(i for i in share.client_shares