I've played a little with it and more general question: Don't we want to fail on any SSL error now? Now reraising exception is based only on is_cert_error validator, but probably most SSL errors are not recoverable (my typical case is fedora ssllogin page and SSL_HANDSHAKE_FAILURE). So, maybe enumeration of exceptions we believe are terminal or just fail on any SSL error? Either of these is different to previous behaviour (some SSL errors were silently masked).
This work is more of a direct port of the existing code, so this is a separate question.
That said, ... maybe... the question is, is it possible for some strange network behavior or transient httpd misbehavior to result in an SSL exception.
Also, I think perhaps we may want should be different retry behavior in different circumstances. E.g. the first call, vs later calls, vs the sslLogin call.