From 977eec8a663bd9f62592c69d25a1e9ae6a1683af Mon Sep 17 00:00:00 2001
From: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com>
Date: Sun, 13 Nov 2022 00:19:02 -0800
Subject: [PATCH] Disable TLS 1.0 and TLS 1.1 in webserver

Fixes #1870
---
 plexpy/webstart.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/plexpy/webstart.py b/plexpy/webstart.py
index 59ae8608..a2d84ec0 100644
--- a/plexpy/webstart.py
+++ b/plexpy/webstart.py
@@ -16,6 +16,7 @@
 #  along with Tautulli.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import ssl
 import sys
 
 import cherrypy
@@ -101,6 +102,17 @@ def initialize(options):
         options_dict['engine.autoreload.on'] = True
 
     if enable_https:
+        context = ssl.create_default_context(
+            purpose=ssl.Purpose.CLIENT_AUTH,
+            cafile=https_cert_chain
+        )
+        # Context options:
+        # PROTOCOL_TLS_SERVER | OP_NO_SSLv2 | OP_NO_SSLv3 | OP_NO_TLSv1 | OP_NO_TLSv1_1
+        context.options |= ssl.OP_NO_TLSv1
+        context.options |= ssl.OP_NO_TLSv1_1
+        context.load_cert_chain(https_cert, https_key)
+
+        options_dict['server.ssl_context'] = context
         options_dict['server.ssl_certificate'] = https_cert
         options_dict['server.ssl_certificate_chain'] = https_cert_chain
         options_dict['server.ssl_private_key'] = https_key