From 49b1567a768eeca1fa395c98389f61224557790e Mon Sep 17 00:00:00 2001
From: Aaron McConnell <amcconnell@duosecurity.com>
Date: Wed, 25 Jan 2023 14:57:54 -0500
Subject: [PATCH] Move to TLS client protocol for http connections

---
 duo_client/https_wrapper.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/duo_client/https_wrapper.py b/duo_client/https_wrapper.py
index 7122eef..eb37087 100644
--- a/duo_client/https_wrapper.py
+++ b/duo_client/https_wrapper.py
@@ -69,13 +69,15 @@ def __init__(self, host, port=None, key_file=None, cert_file=None,
               can't be parsed as a valid HTTP/1.0 or 1.1 status line.
         """
         six.moves.http_client.HTTPConnection.__init__(self, host, port, strict, **kwargs)
-        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         if cert_file:
             context.load_cert_chain(cert_file, key_file)
         if ca_certs:
             context.verify_mode = ssl.CERT_REQUIRED
             context.load_verify_locations(cafile=ca_certs)
         else:
+            # Can't check hostnames if we're not requiring server certificates
+            context.check_hostname = False
             context.verify_mode = ssl.CERT_NONE
 
         ssl_version_blacklist = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3