By taking a look at ssl.py it seems that keyfile argument is ignored if certfile argument is not specified as well.
Here's an extract of ssl.py code:

class SSLSocket:

    def __init__(self, sock=None, keyfile=None, certfile=None,
                 server_side=False, cert_reqs=CERT_NONE,
                 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
                 do_handshake_on_connect=True,
                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
                 suppress_ragged_eofs=True, ciphers=None,
                 _context=None):
        [...]
            if certfile and not keyfile:
                keyfile = certfile
        [...]
            if certfile:
                self.context.load_cert_chain(certfile, keyfile)

So at the current stage this:

>>> ssl.wrap_socket(socket.socket(), keyfile="XXX")
<ssl.SSLSocket object, fd=5, family=2, type=1, proto=0>

...would be equal to:

>>> ssl.wrap_socket(socket.socket())
<ssl.SSLSocket object, fd=5, family=2, type=1, proto=0>


To me this leads to one question: are there circumstances in which it makes sense to specify "keyfile" and *not* "certfile"?
As far as I know, on server-side it is always required to specify *at least* certfile argument, in which case this would represent a bug.
Not sure about client-side sockets.

Good catch. keyfile without certfile should be forbidden, and raise a ValueError.

Are we sure? Do we have a reference which states that?

Not really, but in previous versions it would fail as soon as you try to connect:

>>> s = ssl.wrap_socket(socket.socket(), keyfile="XXX")
>>> s.connect(("svn.python.org", 443))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/antoine/cpython/27/Lib/ssl.py", line 295, in connect
    self.ca_certs, self.ciphers)
ssl.SSLError: _ssl.c:289: Both the key & certificate files must be specified

It's better to catch the problem up-front, though. As for whether SSLError or ValueError should be preferred, I think ValueError is cleaner (it's really a bad use of the API).

Fixed in r84370.

I'm not sure which commit it is, but test_ssl has started failing on some buildbots:

======================================================================
ERROR: test_errors (test.test_ssl.BasicSocketTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/srv/buildbot/buildarea/3.x.bolen-ubuntu/build/Lib/test/test_ssl.py", line 186, in test_errors
    s = ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE)
  File "/srv/buildbot/buildarea/3.x.bolen-ubuntu/build/Lib/ssl.py", line 414, in wrap_socket
    ciphers=ciphers)
  File "/srv/buildbot/buildarea/3.x.bolen-ubuntu/build/Lib/ssl.py", line 137, in __init__
    self.context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [Errno 185057381] _ssl.c:1609: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

======================================================================
ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests)
Connecting to an SSLv2 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/srv/buildbot/buildarea/3.x.bolen-ubuntu/build/Lib/test/test_ssl.py", line 80, in f
    return func(*args, **kwargs)
  File "/srv/buildbot/buildarea/3.x.bolen-ubuntu/build/Lib/test/test_ssl.py", line 1100, in test_protocol_sslv2
    try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
  File "/srv/buildbot/buildarea/3.x.bolen-ubuntu/build/Lib/test/test_ssl.py", line 969, in try_protocol_combo
    ctx.load_cert_chain(CERTFILE)
ssl.SSLError: [Errno 336445442] _ssl.c:1609: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib

See e.g. http://www.python.org/dev/buildbot/builders/x86%20Ubuntu%203.x/builds/1870

Actually, it started failing exactly after r84352 (issue #9706).