gh-137197: Rework test cases

This commit reworks the set_ciphersuites() test cases, moving them into
their own class to avoid any changes to existing tests. It also makes
the cipher selection dynamic to avoid potentially trying to use a cipher
not available in some environments.

Author: ronf

Lib/test/test_ssl.py

@@ -1868,10 +1868,6 @@ class SimpleBackgroundTests(unittest.TestCase):
 
     def setUp(self):
         self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-
-        if has_tls_version('TLSv1_3'):
-            self.server_context.set_ciphersuites('TLS_AES_256_GCM_SHA384')
-
         self.server_context.load_cert_chain(SIGNED_CERTFILE)
         server = ThreadedEchoServer(context=self.server_context)
         self.enterContext(server)
@@ -2118,33 +2114,6 @@ def test_ciphers(self):
                                     cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
                 s.connect(self.server_addr)
 
-    @requires_tls_version('TLSv1_3')
-    def test_ciphersuites(self):
-        # Test successful TLS 1.3 handshake
-        with test_wrap_socket(socket.socket(socket.AF_INET),
-                              cert_reqs=ssl.CERT_NONE,
-                              ciphersuites="TLS_AES_256_GCM_SHA384",
-                              min_version=ssl.TLSVersion.TLSv1_3) as s:
-            s.connect(self.server_addr)
-            self.assertEqual(s.cipher(),
-                             ("TLS_AES_256_GCM_SHA384", "TLSv1.3", 256))
-
-        # Test mismatched TLS 1.3 cipher suites
-        with test_wrap_socket(socket.socket(socket.AF_INET),
-                              cert_reqs=ssl.CERT_NONE,
-                              ciphersuites="TLS_AES_128_GCM_SHA256",
-                              min_version=ssl.TLSVersion.TLSv1_3) as s:
-            with self.assertRaises(ssl.SSLError):
-                s.connect(self.server_addr)
-
-        # Test unrecognized TLS 1.3 cipher suite name
-        with self.assertRaisesRegex(ssl.SSLError,
-                                    "No cipher suite can be selected"):
-            with socket.socket(socket.AF_INET) as sock:
-                s = test_wrap_socket(sock, cert_reqs=ssl.CERT_NONE,
-                                     ciphersuites="XXX",
-                                     min_version=ssl.TLSVersion.TLSv1_3)
-
     def test_get_ca_certs_capath(self):
         # capath certs are loaded on request
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
@@ -2274,6 +2243,53 @@ def test_transport_eof(self):
             self.assertRaises(ssl.SSLEOFError, sslobj.read)
 
 
+@requires_tls_version('TLSv1_3')
+class SimpleBackgroundTestsTLS_1_3(unittest.TestCase):
+    """Tests that connect to a simple server running in the background"""
+
+    def setUp(self):
+        ciphers = [cipher['name'] for cipher in ctx.get_ciphers()
+                   if cipher['protocol'] == 'TLSv1.3']
+
+        self.matching_cipher = ciphers[0]
+        self.mismatched_cipher = ciphers[-1]
+
+        self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        self.server_context.set_ciphersuites(self.matching_cipher)
+        self.server_context.load_cert_chain(SIGNED_CERTFILE)
+        server = ThreadedEchoServer(context=self.server_context)
+        self.enterContext(server)
+        self.server_addr = (HOST, server.port)
+
+    def test_ciphersuites(self):
+        # Test unrecognized TLS 1.3 cipher suite name
+        with self.assertRaisesRegex(ssl.SSLError,
+                                    "No cipher suite can be selected"):
+            with socket.socket(socket.AF_INET) as sock:
+                s = test_wrap_socket(sock, cert_reqs=ssl.CERT_NONE,
+                                     ciphersuites="XXX",
+                                     min_version=ssl.TLSVersion.TLSv1_3)
+
+        # Test successful TLS 1.3 handshake
+        with test_wrap_socket(socket.socket(socket.AF_INET),
+                              cert_reqs=ssl.CERT_NONE,
+                              ciphersuites=self.matching_cipher,
+                              min_version=ssl.TLSVersion.TLSv1_3) as s:
+            s.connect(self.server_addr)
+            self.assertEqual(s.cipher()[0], self.matching_cipher)
+
+        # Test mismatched TLS 1.3 cipher suites
+        if self.matching_client != self.mismatched_cipher:
+            with test_wrap_socket(socket.socket(socket.AF_INET),
+                                  cert_reqs=ssl.CERT_NONE,
+                                  ciphersuites=self.mismatched_cipher,
+                                  min_version=ssl.TLSVersion.TLSv1_3) as s:
+                with self.assertRaises(ssl.SSLError):
+                    s.connect(self.server_addr)
+        else:
+            self.skipTest("Multiple TLS 1.3 ciphers are not available")
+
+
 @support.requires_resource('network')
 class NetworkedTests(unittest.TestCase):