From 0af7556b94eac47041957f36e98e230650b56bbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?B=C3=A9n=C3=A9dikt=20Tran?=
 <10796600+picnixz@users.noreply.github.com>
Date: Tue, 5 Aug 2025 09:50:34 +0200
Subject: [PATCH 1/2] gh-136306: fix `test_ssl.ContextTests.test_set_groups` on
 FIPS builds (#137405)

X25519 is not a valid curve if OpenSSL is built with FIPS mode,
and ignoring unknown groups in `SSL_CTX_set1_groups_list()`
is only supported since OpenSSL 3.3, so we use two curves that
are known to be FIPS-compliant, namely P-256 and P-384.
---
 Lib/test/test_ssl.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index c8939383c75d6d..b5263129baed3f 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -49,6 +49,7 @@
 HOST = socket_helper.HOST
 IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
 CAN_GET_SELECTED_OPENSSL_GROUP = ssl.OPENSSL_VERSION_INFO >= (3, 2)
+CAN_IGNORE_UNKNOWN_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 3)
 CAN_GET_AVAILABLE_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 5)
 PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
 
@@ -964,8 +965,14 @@ def test_get_ciphers(self):
 
     def test_set_groups(self):
         ctx = ssl.create_default_context()
-        self.assertIsNone(ctx.set_groups('P-256:X25519'))
-        self.assertRaises(ssl.SSLError, ctx.set_groups, 'P-256:xxx')
+        # We use P-256 and P-384 (FIPS 186-4) that are alloed by OpenSSL
+        # even if FIPS module is enabled. Ignoring unknown groups is only
+        # supported since OpenSSL 3.3.
+        self.assertIsNone(ctx.set_groups('P-256:P-384'))
+
+        self.assertRaises(ssl.SSLError, ctx.set_groups, 'P-256:foo')
+        if CAN_IGNORE_UNKNOWN_OPENSSL_GROUPS:
+            self.assertIsNone(ctx.set_groups('P-256:?foo'))
 
     @unittest.skipUnless(CAN_GET_AVAILABLE_OPENSSL_GROUPS,
                          "OpenSSL version doesn't support getting groups")

From 7f416c867445dd94d11ee9df5f1a2d9d6eb8d883 Mon Sep 17 00:00:00 2001
From: Furkan Onder <furkanonder@protonmail.com>
Date: Tue, 5 Aug 2025 08:32:21 +0000
Subject: [PATCH 2/2] gh-137397: Skip test_os_open on NetBSD due to indefinite
 hang (#137398)

---
 Lib/test/_test_eintr.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Lib/test/_test_eintr.py b/Lib/test/_test_eintr.py
index 0ce42276bfe3d6..4a050792df73c4 100644
--- a/Lib/test/_test_eintr.py
+++ b/Lib/test/_test_eintr.py
@@ -380,6 +380,8 @@ def os_open(self, path):
 
     @unittest.skipIf(sys.platform == "darwin",
                      "hangs under macOS; see bpo-25234, bpo-35363")
+    @unittest.skipIf(sys.platform.startswith('netbsd'),
+                     "hangs on NetBSD; see gh-137397")
     def test_os_open(self):
         self._test_open("fd = os.open(path, os.O_RDONLY)\nos.close(fd)",
                         self.os_open)