# HG changeset patch # User Manuel Jacob # Date 1590916221 -7200 # Node ID abcd6db1f2cccc5615f58658439d05a19fc37c80 # Parent 4942c1bdd080aa6ff2cbf4600f0e040f28a2a734 sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available This case isn't very likely, but possible, especially if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file). diff -r 4942c1bdd080 -r abcd6db1f2cc mercurial/sslutil.py --- a/mercurial/sslutil.py Sun May 31 11:41:03 2020 +0200 +++ b/mercurial/sslutil.py Sun May 31 11:10:21 2020 +0200 @@ -105,7 +105,7 @@ # We default to TLS 1.1+ where we can because TLS 1.0 has known # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to # TLS 1.0+ via config options in case a legacy server is encountered. - if b'tls1.1' in supportedprotocols: + if supportedprotocols - {b'tls1.0'}: defaultminimumprotocol = b'tls1.1' else: # Let people know they are borderline secure.