Hi Dan,

Thanks for your feedback. Yes, I think its a good idea to have a bug per issue. (See end of this note).

For my own sanity I've attempted to note the various legal combinations of parameters for
both the server and client. (Hopefully the formatting will get preserved).

I've also noted a third potential change:

Server side parameters to ssl.wrap_socket:

------------------------------------------------------------------
| key_file | cert_file | ca_certs | cert_reqs | valid | note     |
------------------------------------------------------------------
|     0    |    0      |   0      |   NONE    |  1    | (1)      |
|     1    |    0      |   0      |   NONE    |  0    | (2)      |
|     0    |    1      |   0      |   NONE    |  0    | (2)      |
|     1    |    1      |   0      |   NONE    |  1    | (3)      |
|     1    |    1      |   1      |   NONE    |  0    | (4)      |
|     0    |    0      |   1      |   NONE    |  0    | (5)      |
|     1    |    1      |   0      |  REQUIRED |  0    | (6)      |
|     1    |    1      |   1      |  REQUIRED |  1    | (7)      |
------------------------------------------------------------------

(1) Plain http connection
(2) Both key and cert needed
(3) https connection, no checking of client cert
(4) If ca_cert is present cert_req must not be NONE
(5) If not using ssl a ca_certs parameter is meaningless.
(6) If ca_certs is not present cert_req must be NONE
(7) client cert will be verified using specified ca_certs file. The
    current server code doesn't seem to do this (only cert_file and key_file
    arguments are passed)
    *Change #3*: This functionality should be added, ie a new 'server_ca_cert'
                option.

Note: may want registry to have cert_reqs REQUIRED, but API have
cert_reqs NONE?

client side parameters to ssl.wrap_socket:

------------------------------------------------------------------
| key_file | cert_file | ca_certs | cert_reqs | valid | note     |
------------------------------------------------------------------
|     0    |    0      |   0      |   NONE    |  1    | (8)      |
|     1    |    0      |   0      |   NONE    |  0    | (9)      |
|     0    |    1      |   0      |   NONE    |  0    | (9)      |
|     1    |    1      |   0      |   NONE    |  1    | (10)     |
|     1    |    1      |   1      |   NONE    |  0    | (11)     |
|     0    |    0      |   1      |   NONE    |  1    | (12)     |
|     1    |    1      |   0      |  REQUIRED |  0    | (13)     |
|     1    |    1      |   1      |  REQUIRED |  1    | (14)     |
------------------------------------------------------------------

(8) plain http connection.
(9) Both key and cert needed
(10) https connection, no checking of server cert
    *Change #2*: allow this, but only if '--no-cert-check' option is provided.
(11) If ca_cert is present cert_req must not be NONE
(12) If using ssl server client does not need to supply key_file/cert_file.
    *Change #1: Currently this is not supported, add support.
(13) If ca_certs is not present cert_req must be NONE
(14) server cert will be verified using specified ca_certs file. The
     current code allows this.

If the above is sensible/consistent I'll open bugs for the three changes (#1,#2,#3).