From 311fac5feaadd2dfc69967d9c3a391052b3ab38b Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Fri, 12 May 2023 10:17:38 +0200
Subject: [PATCH] Change: Set TLS minimum version, avoid version protocols

TLS connections now require TLS 1.2 as the minimum version whether
certificate files are given or not.
Also, the deprecated version specific protocol for TLS 1.2 is no
longer used.

This changes prevents possible security issues from allowing
connections with older, less secure TLS versions.
---
 gvm/connections.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/gvm/connections.py b/gvm/connections.py
index f922b5662..576888a6c 100644
--- a/gvm/connections.py
+++ b/gvm/connections.py
@@ -494,8 +494,13 @@ def _new_socket(self):
                 keyfile=self.keyfile,
                 password=self.password,
             )
+            context.minimum_version = ssl.TLSVersion.TLSv1_2
         else:
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+            context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+            context.minimum_version = ssl.TLSVersion.TLSv1_2
+            context.check_hostname = False
+            context.verify_mode = ssl.CERT_NONE
+
         sock = context.wrap_socket(transport_socket, server_side=False)
 
         sock.settimeout(self._timeout)