Thank you for pointing this out. I am frankly shocked that IIS would defaut to SSLv2 (an obsolete and insecure version of the protocol), while Python's (and certainly Mercurial's) default settings allow for higher protocol versions.

> If you are interested in why Python 2.7.3 broke this, look at
> http://bugs.python.org/issue13885 for the explanation (it is
> security-related).

Indeed, it is a security fix. I have no desire to undo this change, which means things may get a bit painful with IIS apparently.

One way to deal with it may be to detect IIS after the first wrap_socket() (through an HTTP header in the response?) and then re-issue a wrap_socket() with IIS-specific parameters.

(forcing SSLv3 as the client protocol isn't terrific, since TLSv1 is AFAIR supposed to have improved security)