From 8cac2e55c000b175a118ec6e6a3f0623b302c50c Mon Sep 17 00:00:00 2001
From: Daniel Mach <daniel.mach@suse.com>
Date: Thu, 13 Oct 2022 15:15:04 +0200
Subject: [PATCH] Mute ssl/tls deprecation warnings

ssl.OP_NO_SSLv2 - removed, because it's deprecated since py3.6
ssl.OP_NO_SSLv3 - removed, because it's deprecated since py3.6
ssl.OP_NO_TLSv1 - enabled only on py3.6, because it's deprecated since py3.7
ssl.OP_NO_TLSv1_1 - enabled only on py3.6, because it's deprecated since py3.7
---
 osc/oscssl.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/osc/oscssl.py b/osc/oscssl.py
index b502bdca..50778ec1 100644
--- a/osc/oscssl.py
+++ b/osc/oscssl.py
@@ -28,10 +28,15 @@ def create_ssl_context():
     but we restrict crypto even more.
     """
     ssl_context = create_urllib3_context()
-    ssl_context.options |= ssl.OP_NO_SSLv2
-    ssl_context.options |= ssl.OP_NO_SSLv3
-    ssl_context.options |= ssl.OP_NO_TLSv1
-    ssl_context.options |= ssl.OP_NO_TLSv1_1
+    # we consider anything older than TLSv1_2 insecure
+    if sys.version_info <= (3, 6):
+        # deprecated since py3.7
+        ssl_context.options |= ssl.OP_NO_TLSv1
+        ssl_context.options |= ssl.OP_NO_TLSv1_1
+    else:
+        # raise minimum version if too low
+        if ssl_context.minimum_version < ssl.TLSVersion.TLSv1_2:
+            ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
     return ssl_context