httpconnection: properly inject ssl_wrap_socket into httpclient (issue4038) This causes httpclient to use the same SSL settings as the rest of Mercurial, and adds an easy extension point for later modifications to our ssl handling.

sslutil: make keyfile and certfile arguments consistent between 2.6+ and 2.5-

httpclient: import 4bb625347d4a to provide SSL wrapper injection This lets us inject our own ssl.wrap_socket equivalent into httpclient, which means that any changes we make to our ssl handling can be *entirely* on our side without having to muck with httpclient, which sounds appealing. For example, an extension could wrap sslutil.ssl_wrap_socket with an api-compatible wrapper and then tweak SSL settings more precisely or use GnuTLS instead of OpenSSL.

sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Prior to this change, we default to SSLv23, which is insecure because it allows use of SSLv2. Unfortunately, there's no constant for OpenSSL to let us use SSLv3 or TLS - we have to pick one or the other. We expose a knob to revert to pre-TLS SSL for the user that has an ancient server that lacks proper TLS support.