[3.13] gh-131050: skip test_dh_params when TLS library lacks FFDHE ciphersuites (GH-131051) (#131874)

gh-131050: skip `test_dh_params` when TLS library lacks FFDHE ciphersuites (GH-131051) (cherry picked from commit be2d2181e6) Co-authored-by: Will Childs-Klein <willck93@gmail.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
2026-02-13 19:04:37 +00:00 · 2025-03-29 11:54:11 +01:00 · 2025-03-29 11:54:11 +01:00 · 5c2c817723
commit 5c2c817723
parent 9ffa80f21e
2 changed files with 16 additions and 2 deletions
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -2810,6 +2810,14 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
                                 % (expect_success, stats['version']))


+def supports_kx_alias(ctx, aliases):
+    for cipher in ctx.get_ciphers():
+        for alias in aliases:
+            if f"Kx={alias}" in cipher['description']:
+                return True
+    return False
+
+
 class ThreadedTests(unittest.TestCase):

    @support.requires_resource('walltime')
@ -4070,8 +4078,13 @@ def test_no_legacy_server_connect(self):
                                   sni_name=hostname)

    def test_dh_params(self):
-        # Check we can get a connection with ephemeral Diffie-Hellman
+        # Check we can get a connection with ephemeral finite-field
+        # Diffie-Hellman (if supported).
        client_context, server_context, hostname = testing_context()
+        dhe_aliases = {"ADH", "EDH", "DHE"}
+        if not (supports_kx_alias(client_context, dhe_aliases)
+                and supports_kx_alias(server_context, dhe_aliases)):
+            self.skipTest("libssl doesn't support ephemeral DH")
        # test scenario needs TLS <= 1.2
        client_context.maximum_version = ssl.TLSVersion.TLSv1_2
        try:
@ -4087,7 +4100,7 @@ def test_dh_params(self):
                                   sni_name=hostname)
        cipher = stats["cipher"][0]
        parts = cipher.split("-")
-        if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
+        if not dhe_aliases.intersection(parts):
            self.fail("Non-DH key exchange: " + cipher[0])

    def test_ecdh_curve(self):
--- a/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst
+++ b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst
@ -0,0 +1 @@
+``test_ssl.test_dh_params`` is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman.
				`@ -0,0 +1 @@`
				``test_ssl.test_dh_params`` is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman.