Check for invalid ALPN lists before calling OpenSSL, for consistency

Fixes gh-1043

src/OpenSSL/SSL.py

@@ -1421,6 +1421,12 @@ def set_alpn_protos(self, protos):
             This list should be a Python list of bytestrings representing the
             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
         """
+        # Different versions of OpenSSL are inconsistent about how they handle empty
+        # proto lists (see #1043), so we avoid the problem entirely by rejecting them
+        # ourselves.
+        if not protos:
+            raise ValueError("at least one protocol must be specified")
+
         # Take the list of protocols and join them together, prefixing them
         # with their lengths.
         protostr = b"".join(
@@ -2449,6 +2455,12 @@ def set_alpn_protos(self, protos):
             This list should be a Python list of bytestrings representing the
             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
         """
+        # Different versions of OpenSSL are inconsistent about how they handle empty
+        # proto lists (see #1043), so we avoid the problem entirely by rejecting them
+        # ourselves.
+        if not protos:
+            raise ValueError("at least one protocol must be specified")
+
         # Take the list of protocols and join them together, prefixing them
         # with their lengths.
         protostr = b"".join(

tests/test_ssl.py

@@ -1928,7 +1928,7 @@ def test_alpn_call_failure(self):
         protocols list. Ensure that we produce a user-visible error.
         """
         context = Context(SSLv23_METHOD)
-        with pytest.raises(Error):
+        with pytest.raises(ValueError):
             context.set_alpn_protos([])
 
     def test_alpn_set_on_connection(self):