Defer ssl wrap until after accept()

ssl wrap prior to accept causes accept() to be too complicated to stay in the
persistent thread and makes key changes require restart to pickup.  Call
the wrap_socket within the dedicated client thread so that it gets up to date
at the right time and picks up certificate changes in a timely fashion.

confluent_server/confluent/sockapi.py

@@ -197,16 +197,20 @@ def _tlshandler():
     plainsocket = socket.socket(socket.AF_INET6)
     plainsocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
     plainsocket.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
-    srv = ssl.wrap_socket(plainsocket, keyfile="/etc/confluent/privkey.pem",
+    plainsocket.bind(('::', 13001, 0, 0))
+    plainsocket.listen(5)
+    while (1):  # TODO: exithook
+        cnn, addr = plainsocket.accept()
+        eventlet.spawn_n(_tlsstartup, cnn)
+
+
+def _tlsstartup(cnn):
+    authname = None
+    cnn = ssl.wrap_socket(cnn, keyfile="/etc/confluent/privkey.pem",
                           certfile="/etc/confluent/srvcert.pem",
                           ssl_version=ssl.PROTOCOL_TLSv1,
                           server_side=True)
-    srv.bind(('::', 13001, 0, 0))
-    srv.listen(5)
-    authname = None
-    while (1):  # TODO: exithook
-        cnn, addr = srv.accept()
-        eventlet.spawn_n(sessionhdl, cnn, authname)
+    sessionhdl(cnn, authname)
 
 
 def _unixdomainhandler():