From: Bob Halley <halley@dnspython.org>
Date: Thu, 17 Feb 2022 16:16:37 +0000 (-0800)
Subject: apply TLS minimums on 3.6 too
X-Git-Tag: v2.3.0rc1~129
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92fdb490f8eba324726bcd42ed07141b4a84c88e;p=thirdparty%2Fdnspython.git

apply TLS minimums on 3.6 too
---

diff --git a/dns/asyncquery.py b/dns/asyncquery.py
index e5a31839..13f687fb 100644
--- a/dns/asyncquery.py
+++ b/dns/asyncquery.py
@@ -335,6 +335,8 @@ async def tls(q, where, timeout=None, port=853, source=None, source_port=0,
             ssl_context = ssl.create_default_context()  # lgtm[py/insecure-protocol]
             if sys.version_info >= (3, 7):
                 ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
+            else:
+                ssl_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
             if server_hostname is None:
                 ssl_context.check_hostname = False
         else:
diff --git a/dns/query.py b/dns/query.py
index 875fcc0f..19894df6 100644
--- a/dns/query.py
+++ b/dns/query.py
@@ -869,6 +869,8 @@ def tls(q, where, timeout=None, port=853, source=None, source_port=0,
         ssl_context = ssl.create_default_context()  # lgtm[py/insecure-protocol]
         if sys.version_info >= (3, 7):
             ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
+        else:
+            ssl_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
         if server_hostname is None:
             ssl_context.check_hostname = False