ensure ssl_sock is closed if assert_fingerprint or match_hostname fail

[graingert]

Closes #2991
Closes #2999

extracted from #2842

this doesn't need a backport to v1.26 because the issue was introduced in ea96fde

[sethmlarson]

LGTM, thanks @graingert for finding and fixing this!

[pquentin]

This does fix the error nicely, and I did not initially understand why. But @graingert explained on Discord that "The problem is they are using a single threaded server and the socket is being kept open by a reference in the traceback". That was still cryptic to me, so here's an attempt on a more detailed explanation.

• When _assert_fingerprint or _match_hostname fail, they raise an exception. A traceback is attached to that exception, and the traceback keeps a reference to the socket.
• urllib3 keeps a reference to that exception to include it in the MaxRetryError exception it will eventually raise. This means the garbage collector will not close the socket on its own, which means the connection will be kept open.
• pytest-httpserver and pytest-localserver are single threaded and can only accept one request at a time. So when urllib3 retries, it won't be able to open a connection, because the server is waiting for the previous try to finish. That's a deadlock!

When we disable retries, the situation is similar. The test passes, but I think pytest somehow keeps a reference to the exception, which means that the server cannot shutdown, so its fixture never finishes, so the test suite hangs too.