Feature or enhancement

Proposal:

Some cryptography TLS libraries, such asAWS-LC andBoringSSL, lack support for "finite field" ephemeral Diffie-Hellman (FFDHE) TLS ciphersuites. This causes failuretest_ssl.ThreadedTests.test_dh_params when CPython is build against such libraries, as that test case assumes ciphersuite support of FFDHE. This issue proposes modifyingtest_dh_params to skip itself if the underlying TLS library does not support FFDHE.

Has this already been discussed elsewhere?

I have already discussed this feature proposal on Discourse

Links to previous discussion of this feature:

This issue is very similar to a series of other test modifications discussed in

https://discuss.python.org/t/support-building-ssl-and-hashlib-modules-against-aws-lc/44505/13

Linked PRs

• gh-131050: Allow CPython test to handle TLS libraries lacking FFDHE ciphersuites #131051
• [3.13] gh-131050: skiptest_dh_params when TLS library lacks FFDHE ciphersuites (GH-131051) #131874
• [3.12] gh-131050: skiptest_dh_params when TLS library lacks FFDHE ciphersuites (GH-131051) #131875