Close SSL sockets when connections/validations fail (#3318)

Handle more cases of failure when initializing SSL sockets, and make
sure no socket is left unclosed in case of errors.

Fixes #3317

Author: kurtmckee

CHANGES

@@ -65,6 +65,7 @@
     * Add `sum` to DUPLICATE_POLICY documentation of `TS.CREATE`, `TS.ADD` and `TS.ALTER`
     * Prevent async ClusterPipeline instances from becoming "false-y" in case of empty command stack (#3061)
     * Close Unix sockets if the connection attempt fails. This prevents `ResourceWarning`s. (#3314)
+    * Close SSL sockets if the connection attempt fails, or if validations fail. (#3317)
 
 * 4.1.3 (Feb 8, 2022)
   * Fix flushdb and flushall (#1926)

redis/connection.py

@@ -819,7 +819,7 @@ def _connect(self):
         sock = super()._connect()
         try:
             return self._wrap_socket_with_ssl(sock)
-        except OSError:
+        except (OSError, RedisError):
             sock.close()
             raise
 
@@ -854,7 +854,6 @@ def _wrap_socket_with_ssl(self, sock):
             context.minimum_version = self.ssl_min_version
         if self.ssl_ciphers:
             context.set_ciphers(self.ssl_ciphers)
-        sslsock = context.wrap_socket(sock, server_hostname=self.host)
         if self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE is False:
             raise RedisError("cryptography is not installed.")
 
@@ -864,6 +863,8 @@ def _wrap_socket_with_ssl(self, sock):
                 "- not both."
             )
 
+        sslsock = context.wrap_socket(sock, server_hostname=self.host)
+
         # validation for the stapled case
         if self.ssl_validate_ocsp_stapled:
             import OpenSSL