> The only way to reliably implement the documented wrap_socket API
> might thus be to maintain a flag in PySocketSockObject.

Agreed. With the annoyance that the flag must be exposed to Python code,
since ssl's wrap_socket is written in Python. It may be private, though.

> Introducing a new and more explicit way of wrapping connected sockets
> might be a simpler and more stable solution.

I'm a bit wary of API bloat here.

> From another perspective: Any user of sockets must be aware that
> socket operations can fail at any time. It might thus not be a problem
> that wrap_socket fails to fail, as long as the programmer knows how to
> catch the failure in the next operation. From that point of view the
> problem is that it is surprising and undocumented how getpeercert can
> fail.

Thanks. So fixing how getpeercert behaves and either raise a dedicated
error or return None would improve things here, right?