use context.minimum_version in py3.7+ where available (#1714)

diff --git a/httpx/_compat.py b/httpx/_compat.py
index 98a3e37b824e9f98ba506d567ec9a8608eb1e252..0eeeef1988a4899e31ac2d198975b0a31a174ce7 100644 (file)
--- a/httpx/_compat.py
+++ b/httpx/_compat.py
@@ -14,11 +14,19 @@ except ImportError:
 
 
 def set_minimum_tls_version_1_2(context: ssl.SSLContext) -> None:
-    if sys.version_info >= (3, 10):
+    if sys.version_info >= (3, 10) or (
+        sys.version_info >= (3, 7) and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0, 7)
+    ):
+        # The OP_NO_SSL* and OP_NO_TLS* become deprecated in favor of
+        # 'SSLContext.minimum_version' from Python 3.7 onwards, however
+        # this attribute is not available unless the ssl module is compiled
+        # with OpenSSL 1.1.0g or newer.
+        # https://docs.python.org/3.10/library/ssl.html#ssl.SSLContext.minimum_version
+        # https://docs.python.org/3.7/library/ssl.html#ssl.SSLContext.minimum_version
         context.minimum_version = ssl.TLSVersion.TLSv1_2
     else:
-        # These become deprecated in favor of 'context.minimum_version'
-        # from Python 3.10 onwards.
+        # If 'minimum_version' isn't available, we configure these options with
+        # the older deprecated variants.
         context.options |= ssl.OP_NO_SSLv2
         context.options |= ssl.OP_NO_SSLv3
         context.options |= ssl.OP_NO_TLSv1