diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py
index 33b2ed7..1169775 100644
--- a/test/test_ssl/test_dhparam.py
+++ b/test/test_ssl/test_dhparam.py
@@ -61,32 +61,44 @@ def require_openssl(required_version):
 @require_openssl("1.0.2")
 def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'):
     host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443"
-    
-    return subprocess.check_output(
-        f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'",
-        shell=True
-    )
+
+    try:
+        # Enforce TLS 1.2 as newer versions don't support custom dhparam or ciphersuite preference.
+        # The empty `echo` is to provide `openssl` user input, so that the process exits: https://stackoverflow.com/a/28567565
+        # `shell=True` enables using a single string to execute as a shell command.
+        # `text=True` prevents the need to compare against byte strings.
+        # `stderr=subprocess.PIPE` removes the output to stderr being interleaved with test case status (output during exceptions).
+        return subprocess.check_output(
+            f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'",
+            shell=True,
+            text=True,
+            stderr=subprocess.PIPE,
+        )
+    except subprocess.CalledProcessError as e:
+        # Output a more helpful error, the original exception in this case isn't that helpful.
+        # `from None` to ignore undesired output from exception chaining.
+        raise Exception("Failed to process CLI request:\n" + e.stderr) from None
 
 
 def can_negotiate_dhe_ciphersuite(sut_container):
     r = negotiate_cipher(sut_container, "-cipher 'EDH'")
-    assert b"New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r
+    assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r
 
     r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key")
-    assert b"DH" in r2
+    assert "DH" in r2
 
 
 def cannot_negotiate_dhe_ciphersuite(sut_container):
     # Fail to negotiate a DHE cipher suite:
     r = negotiate_cipher(sut_container, "-cipher 'EDH'")
-    assert b"New, (NONE), Cipher is (NONE)\n" == r
+    assert "New, (NONE), Cipher is (NONE)\n" == r
 
     # Correctly establish a connection (TLS 1.2):
     r2 = negotiate_cipher(sut_container)
-    assert b"New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2
+    assert "New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2
 
     r3 = negotiate_cipher(sut_container, grep="Server Temp Key")
-    assert b"X25519" in r3
+    assert "X25519" in r3
 
 
 # Parse array of container ENV, splitting at the `=` and returning the value, otherwise `None`