@@ -2716,10 +2716,7 @@ def test_check_hostname(self):
27162716 def test_ecc_cert (self ):
27172717 client_context = ssl .SSLContext (ssl .PROTOCOL_TLS_CLIENT )
27182718 client_context .load_verify_locations (SIGNING_CA )
2719- client_context .set_ciphers (
2720- 'TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:'
2721- 'ECDHE:ECDSA:!NULL:!aRSA'
2722- )
2719+ client_context .set_ciphers ('ECDHE:ECDSA:!NULL:!aRSA' )
27232720 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
27242721
27252722 server_context = ssl .SSLContext (ssl .PROTOCOL_TLS_SERVER )
@@ -3466,17 +3463,16 @@ def test_do_handshake_enotconn(self):
34663463 sock .do_handshake ()
34673464 self .assertEqual (cm .exception .errno , errno .ENOTCONN )
34683465
3469- def test_default_ciphers (self ):
3470- context = ssl .SSLContext (ssl .PROTOCOL_TLS )
3471- try :
3472- # Force a set of weak ciphers on our client context
3473- context .set_ciphers ("DES" )
3474- except ssl .SSLError :
3475- self .skipTest ("no DES cipher available" )
3476- with ThreadedEchoServer (CERTFILE ,
3477- ssl_version = ssl .PROTOCOL_TLS ,
3478- chatty = False ) as server :
3479- with context .wrap_socket (socket .socket ()) as s :
3466+ def test_no_shared_ciphers (self ):
3467+ client_context , server_context , hostname = testing_context ()
3468+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
3469+ client_context .options |= ssl .OP_NO_TLSv1_3
3470+ # Force different suites on client and master
3471+ client_context .set_ciphers ("AES128" )
3472+ server_context .set_ciphers ("AES256" )
3473+ with ThreadedEchoServer (context = server_context ) as server :
3474+ with client_context .wrap_socket (socket .socket (),
3475+ server_hostname = hostname ) as s :
34803476 with self .assertRaises (OSError ):
34813477 s .connect ((HOST , server .port ))
34823478 self .assertIn ("no shared cipher" , server .conn_errors [0 ])
@@ -3517,9 +3513,9 @@ def test_tls1_3(self):
35173513 with context .wrap_socket (socket .socket ()) as s :
35183514 s .connect ((HOST , server .port ))
35193515 self .assertIn (s .cipher ()[0 ], {
3520- 'TLS13-AES-256-GCM-SHA384 ' ,
3521- 'TLS13-CHACHA20-POLY1305-SHA256 ' ,
3522- 'TLS13-AES-128-GCM-SHA256 ' ,
3516+ 'TLS_AES_256_GCM_SHA384 ' ,
3517+ 'TLS_CHACHA20_POLY1305_SHA256 ' ,
3518+ 'TLS_AES_128_GCM_SHA256 ' ,
35233519 })
35243520 self .assertEqual (s .version (), 'TLSv1.3' )
35253521
@@ -3925,23 +3921,20 @@ def cb_wrong_return_type(ssl_sock, server_name, initial_context):
39253921
39263922 def test_shared_ciphers (self ):
39273923 client_context , server_context , hostname = testing_context ()
3928- if ssl .OPENSSL_VERSION_INFO >= (1 , 0 , 2 ):
3929- client_context .set_ciphers ("AES128:AES256" )
3930- server_context .set_ciphers ("AES256" )
3931- alg1 = "AES256"
3932- alg2 = "AES-256"
3933- else :
3934- client_context .set_ciphers ("AES:3DES" )
3935- server_context .set_ciphers ("3DES" )
3936- alg1 = "3DES"
3937- alg2 = "DES-CBC3"
3924+ client_context .set_ciphers ("AES128:AES256" )
3925+ server_context .set_ciphers ("AES256" )
3926+ expected_algs = [
3927+ "AES256" , "AES-256" ,
3928+ # TLS 1.3 ciphers are always enabled
3929+ "TLS_CHACHA20" , "TLS_AES" ,
3930+ ]
39383931
39393932 stats = server_params_test (client_context , server_context ,
39403933 sni_name = hostname )
39413934 ciphers = stats ['server_shared_ciphers' ][0 ]
39423935 self .assertGreater (len (ciphers ), 0 )
39433936 for name , tls_version , bits in ciphers :
3944- if not alg1 in name . split ( "-" ) and alg2 not in name :
3937+ if not any ( alg in name for alg in expected_algs ) :
39453938 self .fail (name )
39463939
39473940 def test_read_write_after_close_raises_valuerror (self ):
0 commit comments