From 80e7fd8f301a30f7fd2e883879f74da25a62fdff Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Mon, 10 Mar 2025 16:04:39 +0000 Subject: [PATCH 1/9] Detect DHE support in test_ssl.py test --- Lib/test/test_ssl.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 9863f3ffe97656..fba691419f684a 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4034,11 +4034,21 @@ def test_no_legacy_server_connect(self): @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows") def test_dh_params(self): - # Check we can get a connection with ephemeral Diffie-Hellman + # Check we can get a connection with ephemeral finite-field Diffie- + # Hellman (if supported). client_context, server_context, hostname = testing_context() + dhe_aliases = ["ADH", "EDH", "DHE"] + def supports_dhe(ctx, aliases) -> bool: + for cipher in ctx.get_ciphers(): + for alias in aliases: + if alias in cipher: + return True + return False + if not (supports_dhe(client_context, dhe_aliases) and + supports_dhe(server_context, dhe_aliases)): + self.skipTest("ssl doesn't support FFDHE") # test scenario needs TLS <= 1.2 client_context.maximum_version = ssl.TLSVersion.TLSv1_2 - server_context.load_dh_params(DHFILE) server_context.set_ciphers("kEDH") server_context.maximum_version = ssl.TLSVersion.TLSv1_2 stats = server_params_test(client_context, server_context, @@ -4046,7 +4056,7 @@ def test_dh_params(self): sni_name=hostname) cipher = stats["cipher"][0] parts = cipher.split("-") - if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts: + if all(a not in parts for a in aliases): self.fail("Non-DH key exchange: " + cipher[0]) def test_ecdh_curve(self): From 61b1a112313a12350651d3fdbe321bc96bb6023b Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Mon, 10 Mar 2025 18:58:06 +0000 Subject: [PATCH 2/9] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst diff --git a/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst new file mode 100644 index 00000000000000..982ab2a12be205 --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst @@ -0,0 +1 @@ +Some cryptography TLS libraries lack support for "finite field" ephemeral Diffie-Hellman (FFDHE) TLS ciphersuites. This issue proposes modifying `test_ssl`'s `test_dh_params` to skip itself if the underlying TLS library does not support FFDHE. From f3de8b166c1ce2a81df53dc9d8ae12687f0063cf Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Mon, 10 Mar 2025 19:02:21 +0000 Subject: [PATCH 3/9] Fix news blurb lint errors --- .../next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst index 982ab2a12be205..d218d02e374b1c 100644 --- a/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst +++ b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst @@ -1 +1 @@ -Some cryptography TLS libraries lack support for "finite field" ephemeral Diffie-Hellman (FFDHE) TLS ciphersuites. This issue proposes modifying `test_ssl`'s `test_dh_params` to skip itself if the underlying TLS library does not support FFDHE. +Some cryptography TLS libraries lack support for "finite field" ephemeral Diffie-Hellman (FFDHE) TLS ciphersuites. This issue proposes modifying ``test_ssl``'s ``test_dh_params`` to skip itself if the underlying TLS library does not support FFDHE. From d4121d73b36571be7b52ed48116d747d244683bd Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Mon, 10 Mar 2025 23:32:44 +0000 Subject: [PATCH 4/9] Adjust skipTest message, add back DHFILE load --- Lib/test/test_ssl.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index fba691419f684a..fde44a00dec09e 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4046,9 +4046,10 @@ def supports_dhe(ctx, aliases) -> bool: return False if not (supports_dhe(client_context, dhe_aliases) and supports_dhe(server_context, dhe_aliases)): - self.skipTest("ssl doesn't support FFDHE") + self.skipTest("libssl doesn't support (finite-field) DHE") # test scenario needs TLS <= 1.2 client_context.maximum_version = ssl.TLSVersion.TLSv1_2 + server_context.load_dh_params(DHFILE) server_context.set_ciphers("kEDH") server_context.maximum_version = ssl.TLSVersion.TLSv1_2 stats = server_params_test(client_context, server_context, From e3704ca068ad1736aba55fdcd8d40de7b9be2cae Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Thu, 13 Mar 2025 14:13:25 +0000 Subject: [PATCH 5/9] Implement PR feedback --- Lib/test/test_ssl.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index fde44a00dec09e..d03590c34aeeb6 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4037,16 +4037,15 @@ def test_dh_params(self): # Check we can get a connection with ephemeral finite-field Diffie- # Hellman (if supported). client_context, server_context, hostname = testing_context() - dhe_aliases = ["ADH", "EDH", "DHE"] - def supports_dhe(ctx, aliases) -> bool: + dhe_aliases = {"ADH", "EDH", "DHE"} + def supports_dhe(ctx) -> bool: for cipher in ctx.get_ciphers(): - for alias in aliases: - if alias in cipher: + for alias in dhe_aliases: + if f"Kx={alias}" in cipher['description']: return True return False - if not (supports_dhe(client_context, dhe_aliases) and - supports_dhe(server_context, dhe_aliases)): - self.skipTest("libssl doesn't support (finite-field) DHE") + if not (supports_dhe(client_context) and supports_dhe(server_context)): + self.skipTest("libssl doesn't support ephemeral DH") # test scenario needs TLS <= 1.2 client_context.maximum_version = ssl.TLSVersion.TLSv1_2 server_context.load_dh_params(DHFILE) @@ -4056,8 +4055,8 @@ def supports_dhe(ctx, aliases) -> bool: chatty=True, connectionchatty=True, sni_name=hostname) cipher = stats["cipher"][0] - parts = cipher.split("-") - if all(a not in parts for a in aliases): + parts = set(cipher.split("-")) + if not dhe_aliases.intersection(parts): self.fail("Non-DH key exchange: " + cipher[0]) def test_ecdh_curve(self): From 73146a83b3f5a651178b15008180be7a4826a3be Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Thu, 13 Mar 2025 10:13:53 -0400 Subject: [PATCH 6/9] Update Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- .../next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst index d218d02e374b1c..53096738619cff 100644 --- a/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst +++ b/Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst @@ -1 +1 @@ -Some cryptography TLS libraries lack support for "finite field" ephemeral Diffie-Hellman (FFDHE) TLS ciphersuites. This issue proposes modifying ``test_ssl``'s ``test_dh_params`` to skip itself if the underlying TLS library does not support FFDHE. +``test_ssl.test_dh_params`` is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman. From 9bf7e6c74b205b20721933d909f59042324ac78d Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Thu, 13 Mar 2025 14:54:53 +0000 Subject: [PATCH 7/9] Revert parts to a list --- Lib/test/test_ssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index d03590c34aeeb6..e174b92ac4b04f 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4055,7 +4055,7 @@ def supports_dhe(ctx) -> bool: chatty=True, connectionchatty=True, sni_name=hostname) cipher = stats["cipher"][0] - parts = set(cipher.split("-")) + parts = cipher.split("-") if not dhe_aliases.intersection(parts): self.fail("Non-DH key exchange: " + cipher[0]) From 7a8375ad4a9deeeb6a1529af97e4210e8cd39f33 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Fri, 28 Mar 2025 18:42:55 +0000 Subject: [PATCH 8/9] Extract supports_kx_aliases test util --- Lib/test/test_ssl.py | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 0293f6d9b74bd2..383e8f9e8bed0c 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2782,6 +2782,14 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success, % (expect_success, stats['version'])) +def supports_kx_alias(ctx, aliases): + for cipher in ctx.get_ciphers(): + for alias in aliases: + if f"Kx={alias}" in cipher['description']: + return True + return False + + class ThreadedTests(unittest.TestCase): @support.requires_resource('walltime') @@ -4042,17 +4050,12 @@ def test_no_legacy_server_connect(self): sni_name=hostname) def test_dh_params(self): - # Check we can get a connection with ephemeral finite-field Diffie- - # Hellman (if supported). + # Check we can get a connection with ephemeral finite-field + # Diffie-Hellman (if supported). client_context, server_context, hostname = testing_context() dhe_aliases = {"ADH", "EDH", "DHE"} - def supports_dhe(ctx) -> bool: - for cipher in ctx.get_ciphers(): - for alias in dhe_aliases: - if f"Kx={alias}" in cipher['description']: - return True - return False - if not (supports_dhe(client_context) and supports_dhe(server_context)): + if not (supports_kx_alias(client_context, dhe_aliases) and + supports_kx_alias(server_context, dhe_aliases)): self.skipTest("libssl doesn't support ephemeral DH") # test scenario needs TLS <= 1.2 client_context.maximum_version = ssl.TLSVersion.TLSv1_2 From 569cf555fbdf3bc0a50cc0b1e8bd36a189776ef2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9n=C3=A9dikt=20Tran?= <10796600+picnixz@users.noreply.github.com> Date: Sat, 29 Mar 2025 11:06:38 +0100 Subject: [PATCH 9/9] Update Lib/test/test_ssl.py --- Lib/test/test_ssl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 383e8f9e8bed0c..b73028b1a93809 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4054,8 +4054,8 @@ def test_dh_params(self): # Diffie-Hellman (if supported). client_context, server_context, hostname = testing_context() dhe_aliases = {"ADH", "EDH", "DHE"} - if not (supports_kx_alias(client_context, dhe_aliases) and - supports_kx_alias(server_context, dhe_aliases)): + if not (supports_kx_alias(client_context, dhe_aliases) + and supports_kx_alias(server_context, dhe_aliases)): self.skipTest("libssl doesn't support ephemeral DH") # test scenario needs TLS <= 1.2 client_context.maximum_version = ssl.TLSVersion.TLSv1_2