From ecc8441b1d01169a9333c7e35a6d6bd244654996 Mon Sep 17 00:00:00 2001
From: Alicja Kario <hkario@redhat.com>
Date: Mon, 6 Jan 2025 14:53:11 +0100
Subject: [PATCH] don't negotiate legacy brainpool IDs in TLS 1.3

---
 tlslite/tlsconnection.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
index 84250615..c4e6502a 100644
--- a/tlslite/tlsconnection.py
+++ b/tlslite/tlsconnection.py
@@ -4014,7 +4014,10 @@ def _serverGetClientHello(self, settings, private_key, cert_chain,
                 share_ids = [i.group for i in share.client_shares]
                 acceptable_ids = [getattr(GroupName, i) for i in
                                   chain(settings.keyShares, settings.eccCurves,
-                                        settings.dhGroups)]
+                                        settings.dhGroups)
+                                  if i not in ("brainpoolP512r1",
+                                               "brainpoolP384r1",
+                                               "brainpoolP256r1")]
                 for selected_group in acceptable_ids:
                     if selected_group in share_ids:
                         cl_key_share = next(i for i in share.client_shares