# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590918063 -7200
# Node ID 4942c1bdd080aa6ff2cbf4600f0e040f28a2a734
# Parent  ceb7318013d50a2cf030d7d0e8455193651668ed
sslutil: add FIXME about supportedprotocols possibly containing too many items

diff -r ceb7318013d5 -r 4942c1bdd080 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Sun May 31 10:47:38 2020 +0200
+++ b/mercurial/sslutil.py	Sun May 31 11:41:03 2020 +0200
@@ -46,6 +46,13 @@
 
 # TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
 # against doesn't support them.
+# FIXME: Since CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98
+# individual TLS versions can be turned on and off, and the
+# ssl.PROTOCOL_TLSv1_* constants are always defined.
+# This means that, on unusual configurations, the following dict may contain
+# too many entries. A proper fix would be to check ssl.HAS_TLSv* where
+# available (Python 3.7+). Before that, this module should be proofed against
+# all possible combinations.
 supportedprotocols = {b'tls1.0'}
 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
     supportedprotocols.add(b'tls1.1')