@@ -153,6 +153,8 @@ class Config(object):

     gpg_decrypt = u"%(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s"

     use_https = True

     ca_certs_file = u""

+    ssl_client_key_file = u""

+    ssl_client_cert_file = u""

     check_ssl_certificate = True

     check_ssl_hostname = True

     bucket_location = u"US"

@@ -61,6 +61,19 @@ class http_connection(object):

         return context

     @staticmethod

+    def _ssl_client_auth_context(certfile, keyfile, check_server_cert, cafile):

+        context = None

+        try:

+            cert_reqs = ssl.CERT_REQUIRED if check_server_cert else ssl.CERT_NONE

+            context = ssl._create_unverified_context(cafile=cafile,

+                                                     keyfile=keyfile,

+                                                     certfile=certfile,

+                                                     cert_reqs=cert_reqs)

+        except AttributeError: # no ssl._create_unverified_context

+            pass

+        return context

+

+    @staticmethod

     def _ssl_context():

         if http_connection.context_set:

             return http_connection.context

@@ -69,9 +82,16 @@ class http_connection(object):

         cafile = cfg.ca_certs_file

         if cafile == "":

             cafile = None

+        certfile = cfg.ssl_client_cert_file or None

+        keyfile = cfg.ssl_client_key_file or None # the key may be embedded into cert file

+

         debug(u"Using ca_certs_file %s", cafile)

+        debug(u"Using ssl_client_cert_file %s", certfile)

+        debug(u"Using ssl_client_key_file %s", keyfile)

-        if cfg.check_ssl_certificate:

+        if certfile is not None:

+            context = http_connection._ssl_client_auth_context(certfile, keyfile, cfg.check_ssl_certificate, cafile)

+        elif cfg.check_ssl_certificate:

             context = http_connection._ssl_verified_context(cafile)

         else:

             context = http_connection._ssl_unverified_context(cafile)

@@ -2813,6 +2813,8 @@ def main():

     optparser.add_option(      "--cache-file", dest="cache_file", action="store", default="",  metavar="FILE", help="Cache FILE containing local source MD5 values")

     optparser.add_option("-q", "--quiet", dest="quiet", action="store_true", default=False, help="Silence output on stdout")

     optparser.add_option(      "--ca-certs", dest="ca_certs_file", action="store", default=None, help="Path to SSL CA certificate FILE (instead of system default)")

+    optparser.add_option(      "--ssl-cert", dest="ssl_client_cert_file", action="store", default=None, help="Path to client own SSL certificate CRT_FILE")

+    optparser.add_option(      "--ssl-key", dest="ssl_client_key_file", action="store", default=None, help="Path to client own SSL certificate private key KEY_FILE")

     optparser.add_option(      "--check-certificate", dest="check_ssl_certificate", action="store_true", help="Check SSL certificate validity")

     optparser.add_option(      "--no-check-certificate", dest="check_ssl_certificate", action="store_false", help="Do not check SSL certificate validity")

     optparser.add_option(      "--check-hostname", dest="check_ssl_hostname", action="store_true", help="Check SSL certificate hostname validity")

@@ -539,6 +539,12 @@ Silence output on stdout

 Path to SSL CA certificate FILE (instead of system

 default)

 .TP

+\fB\-\-ssl\-cert\fR=CRT_FILE

+Path to client own SSL certificate CRT_FILE

+.TP

+\fB\-\-ssl\-key\fR=KEY_FILE

+Path to client own SSL certificate private key KEY_FILE

+.TP

 \fB\-\-check\-certificate\fR

 Check SSL certificate validity

 .TP