sslutil: more robustly detect protocol support The Python ssl module conditionally sets the TLS 1.1 and TLS 1.2 constants depending on whether HAVE_TLSv1_2 is defined. Yes, these are both tied to the same constant (I would think there would be separate constants for each version). Perhaps support for TLS 1.1 and 1.2 were added at the same time and the assumption is that OpenSSL either has neither or both. I don't know. As part of developing this patch, it was discovered that Apple's /usr/bin/python2.7 does not support TLS 1.1 and 1.2 (only TLS 1.0)! On OS X 10.11, Apple Python has the modern ssl module including SSLContext, but it doesn't appear to negotiate TLS 1.1+ nor does it expose the constants related to TLS 1.1+. Since this code is doing more robust feature detection (and not assuming modern ssl implies TLS 1.1+ support), we now get TLS 1.0 warnings when running on Apple Python. Hence the test changes. I'm not super thrilled about shipping a Mercurial that always whines about TLS 1.0 on OS X. We may want a follow-up patch to suppress this warning.

--- a/tests/hghave.py	Mon Jul 11 11:05:08 2016 +0200
+++ b/tests/hghave.py	Mon Jul 18 11:27:27 2016 -0700
@@ -439,6 +439,11 @@
 
     return len(ctx.get_ca_certs()) > 0
 
+@check("tls1.2", "TLS 1.2 protocol support")
+def has_tls1_2():
+    from mercurial import sslutil
+    return 'tls1.2' in sslutil.supportprotocols
+
 @check("windows", "Windows")
 def has_windows():
     return os.name == 'nt'