Bug report
The test case test_get_ciphers assumes that SSLContext.set_ciphers('AESGCM') adds the cipher suites AES256-GCM-SHA384 and AES128-GCM-SHA256. These are OpenSSL's names for AES-GCM with RSA key exchange and RSA authentication:
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
These are old, problematic ciphers suites that do not provide perfect forward secrecy. The ciphers are blocked by some crypto policies, e.g. FIPS 140-3. We should relax the tests a bit and check for variants with FFDH or ECDH key exchange, e.g. ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, or DHE-RSA-AES256-GCM-SHA384.
Bug report
The test case
test_get_ciphersassumes thatSSLContext.set_ciphers('AESGCM')adds the cipher suitesAES256-GCM-SHA384andAES128-GCM-SHA256. These are OpenSSL's names for AES-GCM with RSA key exchange and RSA authentication:These are old, problematic ciphers suites that do not provide perfect forward secrecy. The ciphers are blocked by some crypto policies, e.g. FIPS 140-3. We should relax the tests a bit and check for variants with FFDH or ECDH key exchange, e.g.
ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384, orDHE-RSA-AES256-GCM-SHA384.