urllib docs for URLOpener say: 
 
Additional keyword parameters, collected in x509, are 
used for authentication with the https: scheme. The 
keywords key_file and cert_file are supported; both are 
needed to actually retrieve a resource at an https: URL. 
 
 
They're not needed, and the certificate is never 
checked, because _ssl.c doesn't check it (which is 
documented in the socket.ssl docs). 
 
A doc patch is attached. 

Logged In: YES 
user_id=21627

Isn't the purpose of these arguments client-side authentication?

Logged In: YES 
user_id=261020

<Googles for x509>  Ah.  That appears to be true.  In that 
case, do you agree that the following is still wrong (taken from 
urllib.URLOpener docs)? 
 
Additional keyword parameters, collected in x509, are used for 
authentication with the https: scheme. The keywords key_file 
and cert_file are supported; both are needed to actually 
retrieve a resource at an https: URL. 
 
 
You don't need either dict entry for opening most https: URLs.  
Also, it gives no clue that x509 is for client authentication, and 
that server authentication is not done. 

Logged In: YES 
user_id=21627

Sure, I agree the current documentation is wrong. It would
be good to test the feature before correcting the
documentation, though.

Logged In: YES 
user_id=3066

This should be handled by someone who knows something about
the SSL API.  I'm not at all sure why I assigned it to
myself to begin with.

Logged In: NO 

Patch applied to docs in rev. 50962.

The feature of providing a client cert does seem to work.  I verified this by 
running "openssl s_server -accept 8000 -www -cert server.cert  -key 
server.key  -verify 1" to provide a server on port 8000, and then running the 
attached client script.  (You'll need to generate client and server keys and 
certs first.)  On running the script, the server prints messages showing that 
it's received a certificate.

Therefore, I'm closing this patch.