homepage

_ssl.sslwrap() has 3 filename arguments: key_file, cert_file and cacerts_file. It uses "z" format to parse them.
Attached patch uses PyUnicode_FSConverter() to support surrogates, bytes and bytearray. It fixes also test_decode_certificate() function.

Some comments:
- your ssl_convert_filename() function has a strange signature
- using PyByteArray_AsString() is wrong, we release the GIL later and the buffer could be reallocated, leading to a crash; the right approach is to use PyObject_GetBuffer() and later PyBuffer_Release()
- as such, your function could simply return the bytes/bytearray PyObject *, and not fill the char * pointer
- adding tests for both the bytes and unicode cases would be nice

key_file and cert_file are mandatory (see newPySSLObject()) and bytearray are now more accepted by PyUnicode_FSConverter() (see #8485). New version of the patch is simpler and shorter.
Support bytearray is a little bit to much complex for me (because of the GIL and bytearray lock), I prefer to leave 3.1 unchanged (I will not backport this patch).

> key_file and cert_file are mandatory
No, they are not. Not for a client connection, at least.
Also, please add at least a simple test.

Most of this should be solved if the patch in issue8550 gets accepted. As for test_decode_certificate, it seems it isn't used anywhere, and could therefore be deleted.

I commited the fix on _ssl._test_decode_cert() as r81237 (py3k, blocked in 3.1: r81238). Issue #8550 got accepted and uses PyUnicode_FSConverter for the filenames (except _ssl._test_decode_cert() which is now fixed).

Oh, I forgot to patch RAND_egd()! Fixed: r81239 (py3k, blocked in 3.1: r81240).
The whole ssl module should now be fully "str+surrogates/bytes filenames" compliant :-)