I've played a little with it and more general question: Don't
we want to
fail on any SSL error now? Now reraising exception is based only on
is_cert_error validator, but probably most SSL errors are not
recoverable (my typical case is fedora ssllogin page and
SSL_HANDSHAKE_FAILURE).
So, maybe enumeration of exceptions we believe are terminal or just fail
on any SSL error?
Either of these is different to previous behaviour (some SSL errors were
silently masked).
This work is more of a direct port of the existing code, so this is a separate question.
That said, ... maybe... the question is, is it possible for some strange network behavior
or transient httpd misbehavior to result in an SSL exception.
Also, I think perhaps we may want should be different retry behavior in different
circumstances. E.g. the first call, vs later calls, vs the sslLogin call.