From 6a0c858a6f5860a1ecab23ef085a4d634aeeb994 Mon Sep 17 00:00:00 2001
From: Adam Shedivy <ajshedivyaj@gmail.com>
Date: Tue, 2 Jun 2026 18:39:27 -0500
Subject: [PATCH] fix(ssl): enforce TLS 1.2 minimum in get_certificate

CodeQL py/insecure-protocol (CWE-327) flagged the SSLContext used in
get_certificate() because it did not explicitly forbid the broken
TLSv1/TLSv1.1 protocols before wrapping the socket. Set
context.minimum_version = ssl.TLSVersion.TLSv1_2 so only TLS 1.2+ is
negotiated, per the alert's recommended remediation.

Resolves code scanning alert #2.
---
 mapepire_python/ssl.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mapepire_python/ssl.py b/mapepire_python/ssl.py
index a86f2a0..a2e02d1 100644
--- a/mapepire_python/ssl.py
+++ b/mapepire_python/ssl.py
@@ -7,6 +7,7 @@
 
 def get_certificate(creds: DaemonServer) -> Optional[bytes]:
     context = ssl.create_default_context()
+    context.minimum_version = ssl.TLSVersion.TLSv1_2
     context.check_hostname = False
     context.verify_mode = ssl.CERT_NONE