Skip to content

test_ssl test_get_ciphers fails on systems without RSA key exchange #95280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tiran opened this issue Jul 26, 2022 · 0 comments
Closed

test_ssl test_get_ciphers fails on systems without RSA key exchange #95280

tiran opened this issue Jul 26, 2022 · 0 comments
Labels
3.10 only security fixes 3.11 only security fixes 3.12 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Jul 26, 2022

Bug report

The test case test_get_ciphers assumes that SSLContext.set_ciphers('AESGCM') adds the cipher suites AES256-GCM-SHA384 and AES128-GCM-SHA256. These are OpenSSL's names for AES-GCM with RSA key exchange and RSA authentication:

AES256-GCM-SHA384              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(256)            Mac=AEAD
AES128-GCM-SHA256              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(128)            Mac=AEAD

These are old, problematic ciphers suites that do not provide perfect forward secrecy. The ciphers are blocked by some crypto policies, e.g. FIPS 140-3. We should relax the tests a bit and check for variants with FFDH or ECDH key exchange, e.g. ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, or DHE-RSA-AES256-GCM-SHA384.
@tiran tiran added type-bug An unexpected behavior, bug, or error 3.11 only security fixes 3.10 only security fixes topic-SSL 3.12 only security fixes labels Jul 26, 2022
tiran added a commit to tiran/cpython that referenced this issue Jul 26, 2022
@tiran
pythongh-95280: Fix test_get_ciphers on systems without RSA key exchange
63d60d0
This was referenced Jul 26, 2022
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 27, 2022
@tiran @miss-islington
pythongh-95280: Fix test_get_ciphers on systems without RSA key excha…
3ccbf41 
…nge (pythonGH-95282)

(cherry picked from commit 5654030)

Co-authored-by: Christian Heimes <[email protected]>
tiran added a commit that referenced this issue Jul 27, 2022
@tiran
gh-95280: Fix test_get_ciphers on systems without RSA key exchange (G…
5654030 
…H-95282)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 27, 2022
@tiran @miss-islington
pythongh-95280: Fix test_get_ciphers on systems without RSA key excha…
75e7707 
…nge (pythonGH-95282)

(cherry picked from commit 5654030)

Co-authored-by: Christian Heimes <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Jul 27, 2022
Merged
miss-islington added a commit that referenced this issue Jul 27, 2022
@miss-islington @tiran
gh-95280: Fix test_get_ciphers on systems without RSA key exchange (G…
b77c403 
…H-95282)

(cherry picked from commit 5654030)

Co-authored-by: Christian Heimes <[email protected]>
tiran added a commit that referenced this issue Jul 27, 2022
@miss-islington @tiran
[3.11] gh-95280: Fix test_get_ciphers on systems without RSA key exch…
131fc72 
…ange (GH-95282) (GH-95310)

Co-authored-by: Christian Heimes <[email protected]>
@tiran tiran closed this as completed Jul 27, 2022
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 27, 2022
@tiran @miss-islington
pythongh-95280: Fix test_get_ciphers on systems without RSA key excha…
bea2e58 
…nge (pythonGH-95282)

(cherry picked from commit 5654030)

Co-authored-by: Christian Heimes <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Jul 27, 2022
Merged
ambv pushed a commit that referenced this issue Jul 29, 2022
@miss-islington @tiran
gh-95280: Fix test_get_ciphers on systems without RSA key exchange (G…
03dc951 
…H-95282) (GH-95323)

(cherry picked from commit 5654030)

Co-authored-by: Christian Heimes <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.10 only security fixes 3.11 only security fixes 3.12 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tiran