Default SSLContext -> PROTOCOL_TLS_CLIENT; minimum version TLS 1.2 (#2807)

Author: dpkp

kafka/conn.py

@@ -458,9 +458,8 @@ def _wrap_ssl(self):
         assert self.config['security_protocol'] in ('SSL', 'SASL_SSL')
         if self._ssl_context is None:
             log.debug('%s: configuring default SSL Context', self)
-            self._ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)  # pylint: disable=no-member
-            self._ssl_context.options |= ssl.OP_NO_SSLv2  # pylint: disable=no-member
-            self._ssl_context.options |= ssl.OP_NO_SSLv3  # pylint: disable=no-member
+            self._ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+            self._ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
             self._ssl_context.verify_mode = ssl.CERT_OPTIONAL
             if self.config['ssl_check_hostname']:
                 self._ssl_context.check_hostname = True
@@ -483,7 +482,6 @@ def _wrap_ssl(self):
                     raise RuntimeError('This version of Python does not support ssl_crlfile!')
                 log.info('%s: Loading SSL CRL from %s', self, self.config['ssl_crlfile'])
                 self._ssl_context.load_verify_locations(self.config['ssl_crlfile'])
-                # pylint: disable=no-member
                 self._ssl_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
             if self.config['ssl_ciphers']:
                 log.info('%s: Setting SSL Ciphers: %s', self, self.config['ssl_ciphers'])