[Python-checkins] [3.12] gh-131050: skip `test_dh_params` when TLS library lacks FFDHE ciphersuites (GH-131051) (#131875)

Sat, 29 Mar 2025 03:51:38 -0700 

https://github.com/python/cpython/commit/85b6b0e2d2fffbc8a5a84661e3dfee3deb7ab011
commit: 85b6b0e2d2fffbc8a5a84661e3dfee3deb7ab011
branch: 3.12
author: Miss Islington (bot) <31488909+miss-isling...@users.noreply.github.com>
committer: picnixz <10796600+picn...@users.noreply.github.com>
date: 2025-03-29T10:51:11Z
summary:

[3.12] gh-131050: skip `test_dh_params` when TLS library lacks FFDHE 
ciphersuites (GH-131051) (#131875)

gh-131050: skip `test_dh_params` when TLS library lacks FFDHE ciphersuites 
(GH-131051)
(cherry picked from commit be2d2181e62cd138b0cdf80ebc0dd4058187c52a)

Co-authored-by: Will Childs-Klein <willc...@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picn...@users.noreply.github.com>

files:
A Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst
M Lib/test/test_ssl.py

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 581a1760204e02..75b7e5ca506aa3 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2782,6 +2782,14 @@ def try_protocol_combo(server_protocol, client_protocol, 
expect_success,
                                  % (expect_success, stats['version']))
 
 
+def supports_kx_alias(ctx, aliases):
+    for cipher in ctx.get_ciphers():
+        for alias in aliases:
+            if f"Kx={alias}" in cipher['description']:
+                return True
+    return False
+
+
 class ThreadedTests(unittest.TestCase):
 
     @support.requires_resource('walltime')
@@ -3970,8 +3978,13 @@ def test_no_legacy_server_connect(self):
                                    sni_name=hostname)
 
     def test_dh_params(self):
-        # Check we can get a connection with ephemeral Diffie-Hellman
+        # Check we can get a connection with ephemeral finite-field
+        # Diffie-Hellman (if supported).
         client_context, server_context, hostname = testing_context()
+        dhe_aliases = {"ADH", "EDH", "DHE"}
+        if not (supports_kx_alias(client_context, dhe_aliases)
+                and supports_kx_alias(server_context, dhe_aliases)):
+            self.skipTest("libssl doesn't support ephemeral DH")
         # test scenario needs TLS <= 1.2
         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
         try:
@@ -3987,7 +4000,7 @@ def test_dh_params(self):
                                    sni_name=hostname)
         cipher = stats["cipher"][0]
         parts = cipher.split("-")
-        if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
+        if not dhe_aliases.intersection(parts):
             self.fail("Non-DH key exchange: " + cipher[0])
 
     def test_ecdh_curve(self):
diff --git 
a/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst 
b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst
new file mode 100644
index 00000000000000..53096738619cff
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst
@@ -0,0 +1 @@
+``test_ssl.test_dh_params`` is skipped if the underlying TLS library does not 
support finite-field ephemeral Diffie-Hellman.

_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: arch...@mail-archive.com

Reply via email to