Skip to content

test_ssl test_get_ciphers fails on systems without RSA key exchange #95280

New issue
New issue
Closed
Closed
test_ssl test_get_ciphers fails on systems without RSA key exchange#95280
Labels
3.10only security fixes3.11only security fixes3.12only security fixestopic-SSLtype-bugAn unexpected behavior, bug, or error
@tiran

Description

@tiran
tiran
opened on Jul 26, 2022

Bug report

The test case test_get_ciphers assumes that SSLContext.set_ciphers('AESGCM') adds the cipher suites AES256-GCM-SHA384 and AES128-GCM-SHA256. These are OpenSSL's names for AES-GCM with RSA key exchange and RSA authentication:

AES256-GCM-SHA384              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(256)            Mac=AEAD
AES128-GCM-SHA256              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(128)            Mac=AEAD

These are old, problematic ciphers suites that do not provide perfect forward secrecy. The ciphers are blocked by some crypto policies, e.g. FIPS 140-3. We should relax the tests a bit and check for variants with FFDH or ECDH key exchange, e.g. ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, or DHE-RSA-AES256-GCM-SHA384.

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.10only security fixes3.11only security fixes3.12only security fixestopic-SSLtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions