While running test_ssl in verbose mode, I noticed the following exception:

    [...]
    test_protocol_sslv3 (test.test_ssl.ThreadedTests)
    Connecting to an SSLv3 server with various client options ... 
     SSLv3->SSLv3 CERT_NONE
     SSLv3->SSLv3 CERT_OPTIONAL
     SSLv3->SSLv3 CERT_REQUIRED
     {SSLv23->SSLv3} CERT_NONE
    Exception in thread Thread-54:
    Traceback (most recent call last):
      File "/home/nadeem/src/cpython/def/Lib/threading.py", line 730, in _bootstrap_inner
        self.run()
      File "/home/nadeem/src/cpython/def/Lib/test/test_ssl.py", line 926, in run
        if not self.wrap_conn():
      File "/home/nadeem/src/cpython/def/Lib/test/test_ssl.py", line 880, in wrap_conn
        self.sock, server_side=True)
      File "/home/nadeem/src/cpython/def/Lib/ssl.py", line 206, in wrap_socket
        _context=self)
      File "/home/nadeem/src/cpython/def/Lib/ssl.py", line 293, in __init__
        raise x
      File "/home/nadeem/src/cpython/def/Lib/ssl.py", line 289, in __init__
        self.do_handshake()
      File "/home/nadeem/src/cpython/def/Lib/ssl.py", line 489, in do_handshake
        self._sslobj.do_handshake()
    ConnectionResetError: [Errno 104] Connection reset by peer

     {TLSv1->SSLv3} CERT_NONE
     SSLv23->SSLv3 CERT_NONE
    ok
    [...]

Note that the exception is ignored and the test still passes.

What is the OpenSSL version? (printed at the beginning of test_ssl)

Having an exception here is quite normal: the test checks that a certain (client protocol, server protocol) combination fails. However, a SSLError is expected rather than an OSError.

> What is the OpenSSL version?

    test_ssl: testing with 'OpenSSL 1.0.0e 6 Sep 2011' (1, 0, 0, 5, 15)
              under Linux ('debian', 'wheezy/sid', '')
              HAS_SNI = True

> > What is the OpenSSL version?
> 
>     test_ssl: testing with 'OpenSSL 1.0.0e 6 Sep 2011' (1, 0, 0, 5, 15)
>               under Linux ('debian', 'wheezy/sid', '')
>               HAS_SNI = True

For the record, it works here under 'OpenSSL 1.0.0d 8 Feb 2011'.

The changelog between 1.0.0d and 1.0.0e doesn't seem to list anything which could affect this test:

  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
     [Kaspar Brand <ossl@velox.ch>]

  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
     for multi-threaded use of ECDH. (CVE-2011-3210)
     [Adam Langley (Google)]

  *) Fix x509_name_ex_d2i memory leak on bad inputs.
     [Bodo Moeller]

  *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
     signature public key algorithm by using OID xref utilities instead.
     Before this you could only use some ECC ciphersuites with SHA1 only.
     [Steve Henson]

  *) Add protection against ECDSA timing attacks as mentioned in the paper
     by Billy Bob Brumley and Nicola Tuveri, see:

	http://eprint.iacr.org/2011/232.pdf

(from http://www.openssl.org/news/changelog.html)

Might it be a distribution-specific issue, then? I'm running Ubuntu and
IIRC you're using Mageia?

> Might it be a distribution-specific issue, then? I'm running Ubuntu and
> IIRC you're using Mageia?

Yes, I'm using Mageia. It would be nice if you could take a look at
Ubuntu's or Debian's OpenSSL patches (if any).

I can't see anything in the Ubuntu patches (available from
<https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4>)
that relate to networking or handshakes, so maybe it's not that.
I could be wrong, though - I've never used OpenSSL myself.