gh-131050: Allow CPython test to handle TLS libraries lacking FFDHE ciphersuites

Lib/test/test_ssl.py

@@ -4034,8 +4034,19 @@ def test_no_legacy_server_connect(self):
 
     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_dh_params(self):
-        # Check we can get a connection with ephemeral Diffie-Hellman
+        # Check we can get a connection with ephemeral finite-field Diffie-
+        # Hellman (if supported).
         client_context, server_context, hostname = testing_context()
+        dhe_aliases = ["ADH", "EDH", "DHE"]
+        def supports_dhe(ctx, aliases) -> bool:
+            for cipher in ctx.get_ciphers():
+                for alias in aliases:
+                    if alias in cipher:
+                        return True
+            return False
+        if not (supports_dhe(client_context, dhe_aliases) and
+                supports_dhe(server_context, dhe_aliases)):
+            self.skipTest("libssl doesn't support (finite-field) DHE")
         # test scenario needs TLS <= 1.2
         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
         server_context.load_dh_params(DHFILE)
@@ -4046,7 +4057,7 @@ def test_dh_params(self):
                                    sni_name=hostname)
         cipher = stats["cipher"][0]
         parts = cipher.split("-")
-        if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
+        if all(a not in parts for a in aliases):
             self.fail("Non-DH key exchange: " + cipher[0])
 
     def test_ecdh_curve(self):

Misc/NEWS.d/next/Tests/2025-03-10-18-58-03.gh-issue-131050.FMBAPN.rst

@@ -0,0 +1 @@
+Some cryptography TLS libraries lack support for "finite field" ephemeral Diffie-Hellman (FFDHE) TLS ciphersuites. This issue proposes modifying ``test_ssl``'s ``test_dh_params`` to skip itself if the underlying TLS library does not support FFDHE.