--- a/mercurial/sslutil.py	Sun May 31 11:41:03 2020 +0200
+++ b/mercurial/sslutil.py	Sun May 31 11:10:21 2020 +0200
@@ -105,7 +105,7 @@
     # We default to TLS 1.1+ where we can because TLS 1.0 has known
     # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
     # TLS 1.0+ via config options in case a legacy server is encountered.
-    if b'tls1.1' in supportedprotocols:
+    if supportedprotocols - {b'tls1.0'}:
         defaultminimumprotocol = b'tls1.1'
     else:
         # Let people know they are borderline secure.