From 01256b026f0cb99f88ddec97e7b6dd1fa49f6fbb Mon Sep 17 00:00:00 2001
From: Ruslan Sayfutdinov <ruslan@sayfutdinov.com>
Date: Sat, 3 Apr 2021 22:29:47 +0100
Subject: [PATCH] Use fixed list of ciphers

---
 gpsoauth/__init__.py | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/gpsoauth/__init__.py b/gpsoauth/__init__.py
index 9ed3b6b..6307128 100644
--- a/gpsoauth/__init__.py
+++ b/gpsoauth/__init__.py
@@ -8,7 +8,6 @@
 
 import requests
 from urllib3.poolmanager import PoolManager  # type: ignore
-from urllib3.util.ssl_ import DEFAULT_CIPHERS  # type: ignore
 
 from . import google
 
@@ -28,11 +27,22 @@
 AUTH_URL = "https://android.clients.google.com/auth"
 USER_AGENT = "gpsoauth/" + __version__
 
-# Blocking AESCCM in urllib3 > 1.26.3 causes Google to return 403 Bad
-# Authentication.
-CIPHERS = ":".join(
-    cipher for cipher in DEFAULT_CIPHERS.split(":") if cipher != "!AESCCM"
-)
+# Google is very picky about list of used ciphers. Changing this list most likely
+# will cause BadAuthentication error.
+CIPHERS = [
+    "ECDHE+AESGCM",
+    "ECDHE+CHACHA20",
+    "DHE+AESGCM",
+    "DHE+CHACHA20",
+    "ECDH+AES",
+    "DH+AES",
+    "RSA+AESGCM",
+    "RSA+AES",
+    "!aNULL",
+    "!eNULL",
+    "!MD5",
+    "!DSS",
+]
 
 
 class SSLContext(ssl.SSLContext):
@@ -54,7 +64,7 @@ def init_poolmanager(self, *args: Any, **kwargs: Any) -> None:
         Authentication.
         """
         context = SSLContext()
-        context.set_ciphers(CIPHERS)
+        context.set_ciphers(":".join(CIPHERS))
         context.options |= ssl.OP_NO_COMPRESSION
         context.options |= ssl.OP_NO_SSLv2
         context.options |= ssl.OP_NO_SSLv3