Fix for Python 3.6 and lack of TLSv1.1

fantix · fantix · commit 2037e2d20b81 · 2021-09-14T19:24:29.000-04:00
diff --git a/asyncpg/connect_utils.py b/asyncpg/connect_utils.py
@@ -222,6 +222,10 @@ def _parse_hostlist(hostlist, port, *, unquote=False):
 
 
 def _parse_tls_version(tls_version):
+    if not hasattr(ssl_module, 'TLSVersion'):
+        raise ValueError(
+            "TLSVersion is not supported in this version of Python"
+        )
     if tls_version.startswith('SSL'):
         raise ValueError(
             f"Unsupported TLS version: {tls_version}"
@@ -552,13 +556,17 @@ def _parse_connect_dsn_and_args(*, dsn, host, port, user,
                 ssl.options &= ~ssl_module.OP_NO_COMPRESSION
 
             if ssl_min_protocol_version is None:
-                ssl_min_protocol_version = os.getenv(
-                    'PGSSLMINPROTOCOLVERSION', 'TLSv1.2'
-                )
+                ssl_min_protocol_version = os.getenv('PGSSLMINPROTOCOLVERSION')
             if ssl_min_protocol_version:
                 ssl.minimum_version = _parse_tls_version(
                     ssl_min_protocol_version
                 )
+            else:
+                try:
+                    ssl.minimum_version = _parse_tls_version('TLSv1.2')
+                except ValueError:
+                    # Python 3.6 does not have ssl.TLSVersion
+                    pass
 
             if ssl_max_protocol_version is None:
                 ssl_max_protocol_version = os.getenv('PGSSLMAXPROTOCOLVERSION')
diff --git a/tests/test_connect.py b/tests/test_connect.py
@@ -13,6 +13,7 @@
 import shutil
 import ssl
 import stat
+import sys
 import tempfile
 import textwrap
 import unittest
@@ -1340,13 +1341,13 @@ async def verify_fails(sslmode, *, host='localhost', exn_type):
             await verify_works('allow')
             await verify_works('prefer')
             await verify_fails('require',
-                               exn_type=ssl.CertificateError)
+                               exn_type=ssl.SSLError)
             await verify_fails('verify-ca',
-                               exn_type=ssl.CertificateError)
+                               exn_type=ssl.SSLError)
             await verify_fails('verify-ca', host='127.0.0.1',
-                               exn_type=ssl.CertificateError)
+                               exn_type=ssl.SSLError)
             await verify_fails('verify-full',
-                               exn_type=ssl.CertificateError)
+                               exn_type=ssl.SSLError)
 
     async def test_ssl_connection_default_context(self):
         # XXX: uvloop artifact
@@ -1410,6 +1411,9 @@ async def test_executemany_uvloop_ssl_issue_700(self):
             finally:
                 await con.close()
 
+    @unittest.skipIf(
+        sys.version_info < (3, 7), "Python < 3.7 doesn't have ssl.TLSVersion"
+    )
     async def test_tls_version(self):
         # XXX: uvloop artifact
         old_handler = self.loop.get_exception_handler()
@@ -1420,7 +1424,7 @@ async def test_tls_version(self):
                     dsn='postgresql://ssl_user@localhost/postgres'
                         '?sslmode=require&ssl_min_protocol_version=TLSv1.3'
                 )
-            with self.assertRaisesRegex(ssl.SSLError, 'protocol version'):
+            with self.assertRaises(ssl.SSLError):
                 await self.connect(
                     dsn='postgresql://ssl_user@localhost/postgres'
                         '?sslmode=require'
