I was mistaken about what test_wrong_cert() is doing. It tells the _server_ to check the _client’s_ certificate (the opposite way around from HTTPS for example). Now I understand this, I see it is fine for the client to raise ECONNRESET if the server rejected its certificate.

In separate-test.patch, I decoupled test_wrong_cert() from the other three bad_cert_test() tests because they are testing different stuff. Changes to test_wrong_cert():

* Fix ResourceWarning in my previous change by closing the SSL socket
* Catch socket.error rather than OSError to fix the buildbot failures in 2.7 (The change does nothing in Python 3 because they are aliases.)
* Make test_wrong_cert() stricter by only allowing ECONNRESET or SSLError

Changes to the other three tests:

* Moved them to BasicSocketTests and do not run a server
* Only accept SSLError from wrap_socket(), drop OSError handling and connect() call