Python versions before 2.7.9 (including all versions of Python 2.6) do not support modern and secure SSL. As a result, Mercurial (like any Python program running on older Python versions) cannot ensure connections to remote servers are secure.
Specifically, running versions of Python before 2.7.9 means:
- No TLS 1.1 or 1.2
- No good ciphersuites
- No perfect forward security
- No Next Protocol Negotiation (NPN)
- No Server Name Indication (SNI)
- No system certificate access
If you run Python older than 2.7.9, only SSLv2, SSLv3, and TLS 1.0 are available to you. SSLv2 and SSLv3 are insecure and have known vulnerabilities (like POODLE). TLS 1.0 has similar issues, but as of early 2016 it is still largely supported due to its popularity. In other words, SSL/TLS support in Python older than 2.7.9 is so poor that it is practically plain text (read: no security).
These limitations are things that Mercurial cannot work around. Only upgrading to Python 2.7.9+ will make Mercurial more secure.