@@ -37,13 +37,33 @@ def __init__(self, client_cert=None, ca_cert=None, verify=None,
3737 self .assert_hostname = assert_hostname
3838 self .assert_fingerprint = assert_fingerprint
3939
40- # TLS v1.0 seems to be the safest default; SSLv23 fails in mysterious
41- # ways: https://github.com/docker/docker-py/issues/963
42-
43- self .ssl_version = ssl_version or ssl .PROTOCOL_TLSv1
44-
45- # "tls" and "tls_verify" must have both or neither cert/key files
46- # In either case, Alert the user when both are expected, but any are
40+ # TODO(dperny): according to the python docs, PROTOCOL_TLSvWhatever is
41+ # depcreated, and it's recommended to use OPT_NO_TLSvWhatever instead
42+ # to exclude versions. But I think that might require a bigger
43+ # architectural change, so I've opted not to pursue it at this time
44+
45+ # If the user provides an SSL version, we should use their preference
46+ if ssl_version :
47+ self .ssl_version = ssl_version
48+ else :
49+ # If the user provides no ssl version, we should default to
50+ # TLSv1_2. This option is the most secure, and will work for the
51+ # majority of users with reasonably up-to-date software. However,
52+ # before doing so, detect openssl version to ensure we can support
53+ # it.
54+ if ssl .OPENSSL_VERSION_INFO [:3 ] >= (1 , 0 , 1 ) and hasattr (
55+ ssl , 'PROTOCOL_TLSv1_2' ):
56+ # If the OpenSSL version is high enough to support TLSv1_2,
57+ # then we should use it.
58+ self .ssl_version = getattr (ssl , 'PROTOCOL_TLSv1_2' )
59+ else :
60+ # Otherwise, TLS v1.0 seems to be the safest default;
61+ # SSLv23 fails in mysterious ways:
62+ # https://github.com/docker/docker-py/issues/963
63+ self .ssl_version = ssl .PROTOCOL_TLSv1
64+
65+ # "tls" and "tls_verify" must have both or neither cert/key files In
66+ # either case, Alert the user when both are expected, but any are
4767 # missing.
4868
4969 if client_cert :
0 commit comments