diff -r f4aede0f01af -r 94cf83d9a2c9 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Tue Nov 12 23:20:04 2024 +0100
+++ b/mercurial/sslutil.py	Fri Nov 08 19:48:06 2024 -0500
@@ -312,8 +312,7 @@
     # is loaded and contains that removed CA, you've just undone the user's
     # choice.
 
-    if hasattr(ssl, 'TLSVersion'):
-        # python 3.7+
+    if True:
         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         minimumprotocol = settings[b'minimumprotocol']
         if minimumprotocol == b'tls1.0':
@@ -339,12 +338,6 @@
         # Prevent CRIME.
         # There is no guarantee this attribute is defined on the module.
         sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
-    else:
-        # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
-        # ends support, including TLS protocols. commonssloptions() restricts the
-        # set of allowed protocols.
-        sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-        sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
 
     # We check the hostname ourselves in _verifycert
     sslcontext.check_hostname = False
@@ -545,8 +538,7 @@
                 _(b'referenced certificate file (%s) does not exist') % f
             )
 
-    if hasattr(ssl, 'TLSVersion'):
-        # python 3.7+
+    if True:
         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
         sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
 
@@ -585,39 +577,6 @@
                 _(b'invalid value for server-insecure-exact-protocol: %s')
                 % exactprotocol
             )
-    else:
-        # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
-        # ends support, including TLS protocols. commonssloptions() restricts the
-        # set of allowed protocols.
-        protocol = ssl.PROTOCOL_SSLv23
-        options = commonssloptions(b'tls1.0')
-
-        # This config option is intended for use in tests only. It is a giant
-        # footgun to kill security. Don't define it.
-        exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
-        if exactprotocol == b'tls1.0':
-            if b'tls1.0' not in supportedprotocols:
-                raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
-            protocol = ssl.PROTOCOL_TLSv1
-        elif exactprotocol == b'tls1.1':
-            if b'tls1.1' not in supportedprotocols:
-                raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
-            protocol = ssl.PROTOCOL_TLSv1_1
-        elif exactprotocol == b'tls1.2':
-            if b'tls1.2' not in supportedprotocols:
-                raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
-            protocol = ssl.PROTOCOL_TLSv1_2
-        elif exactprotocol:
-            raise error.Abort(
-                _(b'invalid value for server-insecure-exact-protocol: %s')
-                % exactprotocol
-            )
-
-        # We /could/ use create_default_context() here since it doesn't load
-        # CAs when configured for client auth. However, it is hard-coded to
-        # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
-        sslcontext = ssl.SSLContext(protocol)
-        sslcontext.options |= options
 
     # Improve forward secrecy.
     sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)