don't negotiate legacy brainpool IDs in TLS 1.3

tomato42 · tomato42 · commit ecc8441b1d01 · 2025-01-06T14:53:11.000+01:00
diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -4014,7 +4014,10 @@ def _serverGetClientHello(self, settings, private_key, cert_chain,
                 share_ids = [i.group for i in share.client_shares]
                 acceptable_ids = [getattr(GroupName, i) for i in
                                   chain(settings.keyShares, settings.eccCurves,
-                                        settings.dhGroups)]
+                                        settings.dhGroups)
+                                  if i not in ("brainpoolP512r1",
+                                               "brainpoolP384r1",
+                                               "brainpoolP256r1")]
                 for selected_group in acceptable_ids:
                     if selected_group in share_ids:
                         cl_key_share = next(i for i in share.client_shares
