From a972f5249c2940feec3759d88d3c88a1483b8627 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Wed, 26 Jul 2023 13:46:10 +0100
Subject: [PATCH] Replace deprecated ssl.PROTOCOL_TLS in pki/client.py

Resolves #4512
---
 base/common/python/pki/client.py | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
index 9b476a73e04..64c72a01dd1 100644
--- a/base/common/python/pki/client.py
+++ b/base/common/python/pki/client.py
@@ -95,9 +95,12 @@ def __init__(self, pool_connections=DEFAULT_POOLSIZE,
 
     def init_poolmanager(self, connections, maxsize,
                          block=adapters.DEFAULT_POOLBLOCK, **pool_kwargs):
-        context = ssl.SSLContext(
-            ssl.PROTOCOL_TLS  # pylint: disable=no-member
-        )
+
+        if hasattr(ssl, "PROTOCOL_TLS_CLIENT"):
+            tls_version = ssl.PROTOCOL_TLS_CLIENT
+        else:
+            tls_version = ssl.PROTOCOL_TLS
+        context = ssl.SSLContext(tls_version)
 
         # Enable post handshake authentication for TLS 1.3
         if getattr(context, "post_handshake_auth", None) is not None:
@@ -116,9 +119,11 @@ def init_poolmanager(self, connections, maxsize,
         for capath in self.capaths:
             context.load_verify_locations(capath=capath)
 
-        if self.verify:
-            # Enable certificate verification
-            context.verify_mode = ssl.VerifyMode.CERT_REQUIRED  # pylint: disable=no-member
+        if not self.verify:
+            # Disable certificate verification
+            context.verify_mode = ssl.VerifyMode.CERT_OPTIONAL  # pylint: disable=no-member
+            # Disable check_hostname
+            context.check_hostname = False
 
         pool_kwargs['ssl_context'] = context
         return super().init_poolmanager(