Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

test_ssl test_get_ciphers fails on systems without RSA key exchange #95280

Closed
Labels
3.10only security fixes3.11only security fixes3.12only security fixestopic-SSLtype-bugAn unexpected behavior, bug, or error
@tiran

Description

@tiran

Bug report

The test casetest_get_ciphers assumes thatSSLContext.set_ciphers('AESGCM') adds the cipher suitesAES256-GCM-SHA384 andAES128-GCM-SHA256. These are OpenSSL's names for AES-GCM with RSA key exchange and RSA authentication:

AES256-GCM-SHA384              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(256)            Mac=AEADAES128-GCM-SHA256              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(128)            Mac=AEAD

These are old, problematic ciphers suites that do not provide perfect forward secrecy. The ciphers are blocked by some crypto policies, e.g. FIPS 140-3. We should relax the tests a bit and check for variants with FFDH or ECDH key exchange, e.g.ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384, orDHE-RSA-AES256-GCM-SHA384.

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.10only security fixes3.11only security fixes3.12only security fixestopic-SSLtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      [8]ページ先頭
      ©2009-2025 Movatter.jp