diff --git a/mercurial/httpconnection.py b/mercurial/httpconnection.py
--- a/mercurial/httpconnection.py
+++ b/mercurial/httpconnection.py
@@ -58,7 +58,7 @@ class httpsendfile(object):
         return self._len
 
 # moved here from url.py to avoid a cycle
-def readauthforuri(ui, uri):
+def readauthforuri(ui, uri, user):
     # Read configuration
     config = dict()
     for key, val in ui.configitems('auth'):
@@ -72,10 +72,6 @@ def readauthforuri(ui, uri):
         gdict[setting] = val
 
     # Find the best match
-    uri = util.url(uri)
-    user = uri.user
-    uri.user = uri.password = None
-    uri = str(uri)
     scheme, hostpath = uri.split('://', 1)
     bestuser = None
     bestlen = 0
@@ -238,7 +234,11 @@ class http2handler(urllib2.HTTPHandler, 
         return self.do_open(HTTPConnection, req, False)
 
     def https_open(self, req):
-        res = readauthforuri(self.ui, req.get_full_url())
+        # req.get_full_url() does not contain credentials and we may
+        # need them to match the certificates.
+        url = req.get_full_url()
+        user, password = self.pwmgr.find_stored_password(url)
+        res = readauthforuri(self.ui, url, user)
         if res:
             group, auth = res
             self.auth = auth
diff --git a/mercurial/url.py b/mercurial/url.py
--- a/mercurial/url.py
+++ b/mercurial/url.py
@@ -26,7 +26,7 @@ class passwordmgr(urllib2.HTTPPasswordMg
             return (user, passwd)
 
         if not user or not passwd:
-            res = httpconnectionmod.readauthforuri(self.ui, authuri)
+            res = httpconnectionmod.readauthforuri(self.ui, authuri, user)
             if res:
                 group, auth = res
                 user, passwd = auth.get('username'), auth.get('password')
@@ -53,6 +53,10 @@ class passwordmgr(urllib2.HTTPPasswordMg
         msg = _('http auth: user %s, password %s\n')
         self.ui.debug(msg % (user, passwd and '*' * len(passwd) or 'not set'))
 
+    def find_stored_password(self, authuri):
+        return urllib2.HTTPPasswordMgrWithDefaultRealm.find_user_password(
+            self, None, authuri)
+
 class proxyhandler(urllib2.ProxyHandler):
     def __init__(self, ui):
         proxyurl = ui.config("http_proxy", "host") or os.getenv('http_proxy')
@@ -342,7 +346,11 @@ if has_https:
             return keepalive.KeepAliveHandler._start_transaction(self, h, req)
 
         def https_open(self, req):
-            res = httpconnectionmod.readauthforuri(self.ui, req.get_full_url())
+            # req.get_full_url() does not contain credentials and we may
+            # need them to match the certificates.
+            url = req.get_full_url()
+            user, password = self.pwmgr.find_stored_password(url)
+            res = httpconnectionmod.readauthforuri(self.ui, url, user)
             if res:
                 group, auth = res
                 self.auth = auth
diff --git a/tests/test-hgweb-auth.py b/tests/test-hgweb-auth.py
--- a/tests/test-hgweb-auth.py
+++ b/tests/test-hgweb-auth.py
@@ -37,10 +37,10 @@ def test(auth, urls=None):
         print 'URI:', uri
         try:
             pm = url.passwordmgr(ui)
-            authinfo = util.url(uri).authinfo()[1]
+            u, authinfo = util.url(uri).authinfo()
             if authinfo is not None:
                 pm.add_password(*authinfo)
-            print '    ', pm.find_user_password('test', uri)
+            print '    ', pm.find_user_password('test', u)
         except Abort, e:
             print 'abort'