note: i thought i was looking at the ssl context, but that's actually the ssl object, not the ssl context. i think the context is process-wide, where as the object is connection-specific. real ctx appears to give access to e.g. ca cert chains.