sslutil: properly detect which TLS versions are supported by the ssl module For the record, I contacted the CPython developers to remark that unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is problematic: https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316

sslutil: remove dead code (that failed if only TLS 1.0 is available) We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.

config: remove unused hostsecurity.disabletls10warning config

sslutil: remove dead code (that downgraded default minimum TLS version) We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.

sslutil: remove comment referring to unsupported legacy stacks

setup: require that Python has TLS 1.1 or TLS 1.2 This ensures that Mercurial never downgrades the minimum TLS version from TLS 1.1+ to TLS 1.0+ and enables us to remove that compatibility code. It is reasonable to expect that distributions having Python 2.7.9+ or having backported modern features to the ssl module (which we require) have a OpenSSL version supporting TLS 1.1 or TLS 1.2, as this is the main reason why distributions would want to backport these features. TLS 1.1 and TLS 1.2 are often either both enabled or both not enabled. However, both can be disabled independently, at least on current Python / OpenSSL versions. For the record, I contacted the CPython developers to remark that unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is problematic: https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316

sslutil: check for OpenSSL without TLS 1.0 support in one case It can only happen if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).

sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available This case isn't very likely, but possible, especially if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).

sslutil: add FIXME about supportedprotocols possibly containing too many items

sslutil: fix names of variables containing minimum protocol strings When working in this module, I found it very confusing that "protocol" as a variable name could mean either "minimum protocol string" or an exact version (as a string or ssl.PROTOCOL_* value). This patch prefixes variables of the former type with "minimum".