> Regardless, building a fixed test certificate and checking it in sounds like

> the better option.  Then the openssl command in the test code can be turned
> into a comment describing how the test data was pregenerated.

Here's a patch that does that.

Bill

Lib/test/keycert.pem

@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQC8ddrhm+LutBvjYcQlnH21PPIseJ1JVG2HMmN2CmZk2YukO+9L
+opdJhTvbGfEj0DQs1IE8M+kTUyOmuKfVrFMKwtVeCJphrAnhoz7TYOuLBSqt7lVH
+fhi/VwovESJlaBOp+WMnfhcduPEYHYx/6cnVapIkZnLt30zu2um+DzA9jQIDAQAB
+AoGBAK0FZpaKj6WnJZN0RqhhK+ggtBWwBnc0U/ozgKz2j1s3fsShYeiGtW6CK5nU
+D1dZ5wzhbGThI7LiOXDvRucc9n7vUgi0alqPQ/PFodPxAN/eEYkmXQ7W2k7zwsDA
+IUK0KUhktQbLu8qF/m8qM86ba9y9/9YkXuQbZ3COl5ahTZrhAkEA301P08RKv3KM
+oXnGU2UHTuJ1MAD2hOrPxjD4/wxA/39EWG9bZczbJyggB4RHu0I3NOSFjAm3HQm0
+ANOu5QK9owJBANgOeLfNNcF4pp+UikRFqxk5hULqRAWzVxVrWe85FlPm0VVmHbb/
+loif7mqjU8o1jTd/LM7RD9f2usZyE2psaw8CQQCNLhkpX3KO5kKJmS9N7JMZSc4j
+oog58yeYO8BBqKKzpug0LXuQultYv2K4veaIO04iL9VLe5z9S/Q1jaCHBBuXAkEA
+z8gjGoi1AOp6PBBLZNsncCvcV/0aC+1se4HxTNo2+duKSDnbq+ljqOM+E7odU+Nq
+ewvIWOG//e8fssd0mq3HywJBAJ8l/c8GVmrpFTx8r/nZ2Pyyjt3dH1widooDXYSV
+q6Gbf41Llo5sYAtmxdndTLASuHKecacTgZVhy0FryZpLKrU=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIJAP+qStv1cIGNMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24x
+IzAhBgNVBAoTGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMQwwCgYDVQQLEwNT
+U0wxHzAdBgNVBAMTFnNvbWVtYWNoaW5lLnB5dGhvbi5vcmcwHhcNMDcwODI3MTY1
+NDUwWhcNMTMwMjE2MTY1NDUwWjCBiTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCERl
+bGF3YXJlMRMwEQYDVQQHEwpXaWxtaW5ndG9uMSMwIQYDVQQKExpQeXRob24gU29m
+dHdhcmUgRm91bmRhdGlvbjEMMAoGA1UECxMDU1NMMR8wHQYDVQQDExZzb21lbWFj
+aGluZS5weXRob24ub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8ddrh
+m+LutBvjYcQlnH21PPIseJ1JVG2HMmN2CmZk2YukO+9LopdJhTvbGfEj0DQs1IE8
+M+kTUyOmuKfVrFMKwtVeCJphrAnhoz7TYOuLBSqt7lVHfhi/VwovESJlaBOp+WMn
+fhcduPEYHYx/6cnVapIkZnLt30zu2um+DzA9jQIDAQABoxUwEzARBglghkgBhvhC
+AQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADgYEAF4Q5BVqmCOLv1n8je/Jw9K669VXb
+08hyGzQhkemEBYQd6fzQ9A/1ZzHkJKb1P6yreOLSEh4KcxYPyrLRC1ll8nr5OlCx
+CMhKkTnR6qBsdNV0XtdU2+N25hqW+Ma4ZeqsN/iiJVCGNOZGnvQuvCAGWF8+J/f/
+iHkC6gGdBJhogs4=
+-----END CERTIFICATE-----

Lib/test/test_ssl.py

@@ -22,7 +22,6 @@ except ImportError:
     skip_expected = True
 
 CERTFILE = None
-GMAIL_POP_CERTFILE = None
 
 
 def handle_error(prefix):
@@ -298,12 +297,15 @@ organizationalUnitName_default  = %(unit)s
 nsCertType = server
 """
 
-def create_cert_files():
+def create_cert_files(hostname=None):
+
+    """This is the routine that was run to create the certificate
+    and private key contained in keycert.pem."""
 
     import tempfile, socket, os
     d = tempfile.mkdtemp()
     # now create a configuration file for the CA signing cert
-    fqdn = socket.getfqdn()
+    fqdn = hostname or socket.getfqdn()
     crtfile = os.path.join(d, "cert.pem")
     conffile = os.path.join(d, "ca.conf")
     fp = open(conffile, "w")
@@ -316,7 +318,7 @@ def create_cert_files():
               })
     fp.close()
     error = os.system(
-        "openssl req -batch -new -x509 -days 10 -nodes -config %s "
+        "openssl req -batch -new -x509 -days 2000 -nodes -config %s "
         "-keyout \"%s\" -out \"%s\" > /dev/null < /dev/null 2>&1" %
         (conffile, crtfile, crtfile))
     # now we have a self-signed server cert in crtfile
@@ -324,7 +326,8 @@ def create_cert_files():
     if (os.WEXITSTATUS(error) or
         not os.path.exists(crtfile) or os.path.getsize(crtfile) == 0):
         if test_support.verbose:
-            sys.stdout.write("Unable to create certificate for test %d\n" % error)
+            sys.stdout.write("Unable to create certificate for test, "
+                             + "error status %d\n" % (error >> 8))
         crtfile = None
     elif test_support.verbose:
         sys.stdout.write(open(crtfile, 'r').read() + '\n')
@@ -336,7 +339,8 @@ def test_main(verbose=False):
         raise test_support.TestSkipped("socket module has no ssl support")
 
     global CERTFILE
-    tdir, CERTFILE = create_cert_files()
+    CERTFILE = os.path.join(os.path.dirname(__file__) or os.curdir,
+                            "keycert.pem")
     if not CERTFILE:
         sys.__stdout__.write("Skipping test_ssl ConnectedTests; "
                              "couldn't create a certificate.\n")
@@ -362,8 +366,6 @@ def test_main(verbose=False):
             # wait for it to stop
             server.join()
 
-    if tdir and os.path.isdir(tdir):
-        shutil.rmtree(tdir)
     test_support.threading_cleanup(*thread_info)
 
 if __name__ == "__main__":