LGTM.com - false positive - py/insecure-protocol

[schmittner]

Description of the false positive

LGTM currently suggests to set the specific protocol version in SSLContext which has been deprecated in Python >=3.6:

ssl.PROTOCOL_TLSv1_2
Selects TLS version 1.2 as the channel encryption protocol. This is the most modern version, and probably the best choice for maximum protection, if both sides can speak it. Available only with openssl version 1.0.1+.
...
Deprecated since version 3.6: OpenSSL has deprecated all version specific protocols. Use the default protocol PROTOCOL_TLS with flags like OP_NO_SSLv3 instead.

In addition, Python >=3.7 deprecated the use of flags and introduced a new API:

ssl.OP_NO_TLSv1
Prevents a TLSv1 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1 as the protocol version.
...
Deprecated since version 3.7: The option is deprecated since OpenSSL 1.1.0, use the new SSLContext.minimum_version and SSLContext.maximum_version instead.

I think that an updated rule should check for the presence of either SSLContext.options or SSLContext.minimum_version. Though, this might get a bit complex as all of those settings can be used together:

The attributes maximum_version, minimum_version and SSLContext.options all affect the supported SSL and TLS versions of the context. The implementation does not prevent invalid combination. For example a context with OP_NO_TLSv1_2 in options and maximum_version set to TLSVersion.TLSv1_2 will not be able to establish a TLS 1.2 connection.

URL to the alert on the project page on LGTM.com

https://lgtm.com/projects/g/seemoo-lab/opendrop/snapshot/f01b0ecab167c77e20e1cdf05c42eab914d3a99b/files/opendrop/config.py?sort=name&dir=ASC&mode=heatmap#x4f72d6f0f9464bef:1