From 92fdb490f8eba324726bcd42ed07141b4a84c88e Mon Sep 17 00:00:00 2001
From: Bob Halley <halley@dnspython.org>
Date: Thu, 17 Feb 2022 08:16:37 -0800
Subject: [PATCH] apply TLS minimums on 3.6 too

---
 dns/asyncquery.py | 2 ++
 dns/query.py      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/dns/asyncquery.py b/dns/asyncquery.py
index e5a31839..13f687fb 100644
--- a/dns/asyncquery.py
+++ b/dns/asyncquery.py
@@ -335,6 +335,8 @@ async def tls(q, where, timeout=None, port=853, source=None, source_port=0,
             ssl_context = ssl.create_default_context()  # lgtm[py/insecure-protocol]
             if sys.version_info >= (3, 7):
                 ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
+            else:
+                ssl_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
             if server_hostname is None:
                 ssl_context.check_hostname = False
         else:
diff --git a/dns/query.py b/dns/query.py
index 875fcc0f..19894df6 100644
--- a/dns/query.py
+++ b/dns/query.py
@@ -869,6 +869,8 @@ def tls(q, where, timeout=None, port=853, source=None, source_port=0,
         ssl_context = ssl.create_default_context()  # lgtm[py/insecure-protocol]
         if sys.version_info >= (3, 7):
             ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
+        else:
+            ssl_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
         if server_hostname is None:
             ssl_context.check_hostname = False
 
-- 
2.47.3