homepage

Please, is it possible to put more information about the purpose parameter to the documentation of ssl.create_default_context()? It's not obvious that SERVER_AUTH should be used for client sockets and not server sockets. It took me a while to discover this, while all I was getting was only "SSLEOFError: EOF occurred in violation of protocol" (which is also not helpful).
This is especially confusing, because OpenSSL uses serverAuth and clientAuth (for extendedKeyUsage configuration) in the exactly opposite meaning.

Python uses serverAuth and clientAuth in the exact same meaning as EKU (extended key usage). In order to create X.509 cert for a web server, it should have EKU "SSL/TLS Web Server Authentication". On the other hand a client must validate the cert for a specific purpose, too. So the client creates a context with purpose SERVER_AUTH. This loads only trust anchors which are flagged with EKU "SSL/TLS Web Server Authentication".
For TLS/SSL server it is the other way around. The server side uses a context with CLIENT_AUTH to load only root certs that can validate client certs. Other purposes aren't supported because Python's ssl does neither support S/MIME nor code signing.
https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_default_certs explains the purpose flags, too.