diff --git a/mercurial/url.py b/mercurial/url.py
--- a/mercurial/url.py
+++ b/mercurial/url.py
@@ -542,13 +542,20 @@ def _verifycert(cert, hostname):
     return _('no commonName or subjectAltName found in certificate')
 
 if has_https:
-    class BetterHTTPS(httplib.HTTPSConnection):
-        send = keepalive.safesend
+    class httpsconnection(httplib.HTTPSConnection):
+        response_class = keepalive.HTTPResponse
+        # must be able to send big bundle as stream.
+        send = _gen_sendfile(keepalive.safesend)
+        getresponse = keepalive.wrapgetresponse(httplib.HTTPSConnection)
 
         def connect(self):
             self.sock = _create_connection((self.host, self.port))
 
             host = self.host
+            if self.realhostport: # use CONNECT proxy
+                something = _generic_proxytunnel(self)
+                host = self.realhostport.rsplit(':', 1)[0]
+
             cacerts = self.ui.config('web', 'cacerts')
             hostfingerprint = self.ui.config('hostfingerprints', host)
 
@@ -592,22 +599,6 @@ if has_https:
                                    '(check web.cacerts config setting)\n') %
                                  host)
 
-    class httpsconnection(BetterHTTPS):
-        response_class = keepalive.HTTPResponse
-        # must be able to send big bundle as stream.
-        send = _gen_sendfile(BetterHTTPS.send)
-        getresponse = keepalive.wrapgetresponse(httplib.HTTPSConnection)
-
-        def connect(self):
-            if self.realhostport: # use CONNECT proxy
-                self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-                self.sock.connect((self.host, self.port))
-                if _generic_proxytunnel(self):
-                    self.sock = _ssl_wrap_socket(self.sock, self.key_file,
-                            self.cert_file)
-            else:
-                BetterHTTPS.connect(self)
-
     class httpshandler(keepalive.KeepAliveHandler, urllib2.HTTPSHandler):
         def __init__(self, ui):
             keepalive.KeepAliveHandler.__init__(self)
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -261,10 +261,8 @@ Test https with cacert and fingerprint t
 Test https with cert problems through proxy
 
   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
-  pulling from https://localhost:$HGPORT/
-  searching for changes
-  no changes found
+  abort: error: _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
+  [255]
   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
-  pulling from https://localhost:$HGPORT2/
-  searching for changes
-  no changes found
+  abort: error: _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
+  [255]