New GitHub issue #95280 from tiran:<br>
<hr>
<pre>
# Bug report
The test case ``test_get_ciphers`` assumes that ``SSLContext.set_ciphers('AESGCM')`` adds the cipher suites ``AES256-GCM-SHA384`` and ``AES128-GCM-SHA256``. These are OpenSSL's names for AES-GCM with RSA key exchange and RSA authentication:
```
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
```
These are old, problematic ciphers suites that do not provide perfect forward secrecy. The ciphers are blocked by some crypto policies, e.g. FIPS 140-3. We should relax the tests a bit and check for variants with FFDH or ECDH key exchange, e.g. ``ECDHE-ECDSA-AES256-GCM-SHA384``, ``ECDHE-RSA-AES256-GCM-SHA384``, or ``DHE-RSA-AES256-GCM-SHA384``.
</pre>
<hr>
<a href="https://github.com/python/cpython/issues/95280">View on GitHub</a>
<p>Labels: type-bug, 3.11, 3.10, expert-SSL, 3.12</p>
<p>Assignee: </p>