diff -r 1b8b6adb2365 -r 53de8255ec4e mercurial/sslutil.py
--- a/mercurial/sslutil.py	Wed Jul 13 20:41:07 2016 -0700
+++ b/mercurial/sslutil.py	Thu Jul 14 19:56:39 2016 -0700
@@ -264,7 +264,13 @@
 
     settings = _hostsettings(ui, serverhostname)
 
-    # TODO use ssl.create_default_context() on modernssl.
+    # We can't use ssl.create_default_context() because it calls
+    # load_default_certs() unless CA arguments are passed to it. We want to
+    # have explicit control over CA loading because implicitly loading
+    # CAs may undermine the user's intent. For example, a user may define a CA
+    # bundle with a specific CA cert removed. If the system/default CA bundle
+    # is loaded and contains that removed CA, you've just undone the user's
+    # choice.
     sslcontext = SSLContext(settings['protocol'])
 
     # This is a no-op unless using modern ssl.