Hi Bill,

When I include the server certificate in ca_certs, verification
succeeds, and I can view the peer certificate dict with getpeercert(False)

When I set ca_certs to none and ssl.CERT_NONE, I can still call
getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
certificate.

SSL is all new to me, so forgive me if I talk nonsense, but what I'm
trying to do is the following:

I receive a key from Bob which is a digest of his servers certificate.
To make sure I'm really talking to Bob I need to decrypt his servers
signature with his public key and check the resulting digest against my
key. So I have to ignore failures like
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
X509_V_ERR_CERT_SIGNATURE_FAILURE.

The idea is based on what foolscap is doing with FURLS
(http://foolscap.lothar.com/trac)

Am I making sense?