sslutil: properly detect which TLS versions are supported by the ssl module For the record, I contacted the CPython developers to remark that unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is problematic: https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316

sslutil: remove dead code (that failed if only TLS 1.0 is available) We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.

config: remove unused hostsecurity.disabletls10warning config

sslutil: remove dead code (that downgraded default minimum TLS version) We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.

sslutil: remove comment referring to unsupported legacy stacks

setup: require that Python has TLS 1.1 or TLS 1.2 This ensures that Mercurial never downgrades the minimum TLS version from TLS 1.1+ to TLS 1.0+ and enables us to remove that compatibility code. It is reasonable to expect that distributions having Python 2.7.9+ or having backported modern features to the ssl module (which we require) have a OpenSSL version supporting TLS 1.1 or TLS 1.2, as this is the main reason why distributions would want to backport these features. TLS 1.1 and TLS 1.2 are often either both enabled or both not enabled. However, both can be disabled independently, at least on current Python / OpenSSL versions. For the record, I contacted the CPython developers to remark that unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is problematic: https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316

sslutil: check for OpenSSL without TLS 1.0 support in one case It can only happen if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).

sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available This case isn't very likely, but possible, especially if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).

sslutil: add FIXME about supportedprotocols possibly containing too many items

sslutil: fix names of variables containing minimum protocol strings When working in this module, I found it very confusing that "protocol" as a variable name could mean either "minimum protocol string" or an exact version (as a string or ssl.PROTOCOL_* value). This patch prefixes variables of the former type with "minimum".

sslutil: stop returning argument as third return value of protocolsettings() The third return value was always the same as the argument.

relnotes: note that we now require modern SSL/TLS features in Python

tests: stop checking for optional, now impossible output In 7dd63a8cb1ee, the code that could output that line was removed.

rust: remove one more occurrence of re2 Differential Revision: https://phab.mercurial-scm.org/D8601

scmutil: clarify getuipathfn comment Differential Revision: https://phab.mercurial-scm.org/D8600

githelp: add some minimal help for pickaxe functionality Due to a conversation in work chat, I realized this is actually pretty well-hidden in Mercurial. Differential Revision: https://phab.mercurial-scm.org/D8590

rust: remove duplicate import Differential Revision: https://phab.mercurial-scm.org/D8456

tests: remove "sslcontext" check Now that we require the presence of ssl.SSLContext in setup.py, the check would always return `True`.

sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it

tests: remove "defaultcacerts" check `sslutil._canloaddefaultcerts` is always true (and will be removed).

sslutil: eliminate `modernssl` by constant-folding code using it

hgweb: avoid using `sslutil.modernssl` `sslutil.modernssl` is going to be removed. Since the point of using this attribute was to check the importability of the `sslutil`, a different attribute can be used. `sslutil.wrapserversocket` is used because it’s anyway used a few lines below.

sslutil: remove comments referring to removed SSLContext emulation class

sslutil: remove code checking for presence of ssl.SSLContext Now that we require the presence of ssl.SSLContext in setup.py, we can remove this code.

setup: require a Python version with modern SSL features This increases the minimum security baseline of Mercurial and enables us to remove compatibility code for supporting older, less secure Python versions.

sslutil: set `_canloaddefaultcerts` to `True` if `ssl.SSLContext` is present The `load_default_certs()` method was already present when `ssl.SSLContext` was backported to Python 2.7 (https://hg.python.org/cpython/rev/221a1f9155e2).

filemerge: add __bytes__ for absentfilectx This will at _least_ aid some upcoming debugging. Differential Revision: https://phab.mercurial-scm.org/D8592

mergestate: move staticmethod _filectxorabsent to module level I suspect this was a static method just because it made merge.py feel less messy, but now we have a mergestate package so we can do better. Differential Revision: https://phab.mercurial-scm.org/D8591

rust: remove support for `re2` With the performance issues with `regex` figured out and fixed in previous patches and `regex` newly gaining support for empty alternations, there is no reason to keep `re2` around anymore. It's only *marginally* faster at creating the regex which saves at most a couple of ms, but gets beaten by `regex` in every other aspect. This removes the Rust/C/C++ bridge (hooray!), the `with-re2` feature, the conditional code that goes with it, the documentation and relevant part of the debug/module output. Differential Revision: https://phab.mercurial-scm.org/D8594

rust-dependencies: update `regex` to 1.3.9 Version `1.3.8` introduces support for empty alternations, which makes previously disallowed patterns usable in `regex`. From a user's perspective, this means that glob patterns like `*.py{,c}` will no longer generate an "invalid" regex and will use the Rust path. `1.3.9` is a bugfix release, might as well update to the latest one. Differential Revision: https://phab.mercurial-scm.org/D8593