From 3766e2cc603f02cf213e6303b257eeaa7a9ed157 Mon Sep 17 00:00:00 2001
From: Bob Halley <halley@dnspython.org>
Date: Thu, 17 Feb 2022 07:23:51 -0800
Subject: [PATCH] set a minimum TLS version when we can

---
 dns/asyncquery.py |  3 +++
 dns/query.py      | 13 ++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/dns/asyncquery.py b/dns/asyncquery.py
index 826b8cfa..e5a31839 100644
--- a/dns/asyncquery.py
+++ b/dns/asyncquery.py
@@ -20,6 +20,7 @@
 import base64
 import socket
 import struct
+import sys
 import time
 
 import dns.asyncbackend
@@ -332,6 +333,8 @@ async def tls(q, where, timeout=None, port=853, source=None, source_port=0,
         if ssl_context is None:
             # See the comment about ssl.create_default_context() in query.py
             ssl_context = ssl.create_default_context()  # lgtm[py/insecure-protocol]
+            if sys.version_info >= (3, 7):
+                ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
             if server_hostname is None:
                 ssl_context.check_hostname = False
         else:
diff --git a/dns/query.py b/dns/query.py
index 4434ede6..c399941b 100644
--- a/dns/query.py
+++ b/dns/query.py
@@ -17,6 +17,7 @@
 
 """Talk to a DNS server."""
 
+import base64
 import contextlib
 import enum
 import errno
@@ -24,8 +25,8 @@ import os
 import selectors
 import socket
 import struct
+import sys
 import time
-import base64
 import urllib.parse
 
 import dns.exception
@@ -860,11 +861,13 @@ def tls(q, where, timeout=None, port=853, source=None, source_port=0,
     if ssl_context is None and not sock:
         # LGTM complains about this because the default might permit TLS < 1.2
         # for compatibility, but the python documentation says that explicit
-        # versioning is deprecated. and that as of python 3.6 it will negotiate
-        # the highest version possible.  While we can set a minimum version,
-        # this isn't great either as we might set it lower than a future
-        # python version would.
+        # versioning is deprecated, and that as of python 3.6 it will negotiate
+        # the highest version possible.  We also set a minimum version when we
+        # can, even though this might require a future dnspython release if that
+        # version becomes deprecated.
         ssl_context = ssl.create_default_context()  # lgtm[py/insecure-protocol]
+        if sys.version_info >= (3, 7):
+            ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
         if server_hostname is None:
             ssl_context.check_hostname = False
 
-- 
2.47.3