From 2ccf414f4821387b0049017ca4a0d98c615acdba Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Wed, 27 Jul 2022 14:41:44 +0200
Subject: [PATCH] Fix test_get_ciphers in test_ssl.py for FIPS mode

---
 00329-fips.patch | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
 python3.9.spec   |  6 +++++-
 2 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/00329-fips.patch b/00329-fips.patch
index 4170fe4..84aee1d 100644
--- a/00329-fips.patch
+++ b/00329-fips.patch
@@ -1,3 +1,54 @@
+From 3ccbf41ad18431fcb7e6e83cb4b6bf13c6c22f3e Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Wed, 27 Jul 2022 09:19:49 +0200
+Subject: [PATCH] gh-95280: Fix test_get_ciphers on systems without RSA key
+ exchange (GH-95282) (cherry picked from commit
+ 565403038b75eb64ea483b2757ba30769246d853)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+---
+ Lib/test/test_ssl.py                             | 16 ++++++++++++++--
+ ...2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst |  2 ++
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 9f364fa4bbb6d..f97227b11bcde 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -1177,8 +1177,20 @@ def test_get_ciphers(self):
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+         ctx.set_ciphers('AESGCM')
+         names = set(d['name'] for d in ctx.get_ciphers())
+-        self.assertIn('AES256-GCM-SHA384', names)
+-        self.assertIn('AES128-GCM-SHA256', names)
++        expected = {
++            'AES128-GCM-SHA256',
++            'ECDHE-ECDSA-AES128-GCM-SHA256',
++            'ECDHE-RSA-AES128-GCM-SHA256',
++            'DHE-RSA-AES128-GCM-SHA256',
++            'AES256-GCM-SHA384',
++            'ECDHE-ECDSA-AES256-GCM-SHA384',
++            'ECDHE-RSA-AES256-GCM-SHA384',
++            'DHE-RSA-AES256-GCM-SHA384',
++        }
++        intersection = names.intersection(expected)
++        self.assertGreaterEqual(
++            len(intersection), 2, f"\ngot: {sorted(names)}\nexpected: {sorted(expected)}"
++        )
+ 
+     def test_options(self):
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+diff --git a/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst
+new file mode 100644
+index 0000000000000..523d9d5f2f8bf
+--- /dev/null
++++ b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst
+@@ -0,0 +1,2 @@
++Fix problem with ``test_ssl`` ``test_get_ciphers`` on systems that require
++perfect forward secrecy (PFS) ciphers.
+
+
 From 37aa11f4c57e08bd3859c0de1c22f1d5296b6fdc Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Wed, 11 Aug 2021 16:51:03 +0200
diff --git a/python3.9.spec b/python3.9.spec
index 25bc03d..57e7008 100644
--- a/python3.9.spec
+++ b/python3.9.spec
@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python
 
 
@@ -1810,6 +1810,10 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Mon Jul 25 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.13-3
+- Fix test_get_ciphers in test_ssl.py for FIPS mode
+Resolves: rhbz#2058233
+
 * Thu Jun 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-2
 - Security fix for CVE-2015-20107
 Resolves: rhbz#2075390