test_ssl test_get_ciphers fails on systems without RSA key exchange #95280
Labels
3.10
bug and security fixes
3.11
bug and security fixes
3.12
new features, bug and security fixes
expert-SSL
type-bug
An unexpected behavior, bug, or error
Comments
tiran
added
type-bug
tiran
added a commit
to tiran/cpython
that referenced
this issue
Jul 26, 2022
This was referenced Jul 26, 2022
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Jul 27, 2022
…nge (pythonGH-95282) (cherry picked from commit 5654030) Co-authored-by: Christian Heimes <christian@python.org>
tiran
added a commit
that referenced
this issue
Jul 27, 2022
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Jul 27, 2022
…nge (pythonGH-95282) (cherry picked from commit 5654030) Co-authored-by: Christian Heimes <christian@python.org>
miss-islington
added a commit
that referenced
this issue
Jul 27, 2022
tiran
added a commit
that referenced
this issue
Jul 27, 2022
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Jul 27, 2022
…nge (pythonGH-95282) (cherry picked from commit 5654030) Co-authored-by: Christian Heimes <christian@python.org>
ambv
pushed a commit
that referenced
this issue
Jul 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug report
The test case
test_get_ciphersassumes thatSSLContext.set_ciphers('AESGCM')adds the cipher suitesAES256-GCM-SHA384andAES128-GCM-SHA256. These are OpenSSL's names for AES-GCM with RSA key exchange and RSA authentication:These are old, problematic ciphers suites that do not provide perfect forward secrecy. The ciphers are blocked by some crypto policies, e.g. FIPS 140-3. We should relax the tests a bit and check for variants with FFDH or ECDH key exchange, e.g.
ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384, orDHE-RSA-AES256-GCM-SHA384.The text was updated successfully, but these errors were encountered: