Turns out the exception propagation here works after all
diff --git a/OpenSSL/ssl/context.c b/OpenSSL/ssl/context.c
index ebaf164..98cc01c 100644
--- a/OpenSSL/ssl/context.c
+++ b/OpenSSL/ssl/context.c
@@ -101,10 +101,8 @@
 
     if (ret == NULL) {
         /*
-         * XXX The callback raised an exception.  At the very least, it should
-         * be printed out here.  An *actual* solution would be to raise it up
-         * through OpenSSL.  That might be a bit tricky, but it's probably
-         * possible. -exarkun
+         * The callback raised an exception.  It will be raised by whatever
+         * Python API triggered this callback.
          */
         goto out;
     }
@@ -119,9 +117,9 @@
 
     if (!PyString_Check(ret)) {
         /*
-         * XXX Returned something that wasn't a string.  This is bogus.  We
-         * should report an error or raise an exception (again, through OpenSSL
-         * - tricky). -exarkun
+         * XXX Returned something that wasn't a string.  This is bogus.  We'll
+         * return 0 and OpenSSL will treat it as an error, resulting in an
+         * exception from whatever Python API triggered this callback.
          */
         Py_DECREF(ret);
         goto out;
@@ -130,8 +128,9 @@
     len = PyString_Size(ret);
     if (len > maxlen) {
         /*
-         * XXX Returned more than we said they were allowed to return.  Report
-         * an error or raise an exception (tricky blah blah). -exarkun
+         * Returned more than we said they were allowed to return.  Just
+         * truncate it.  Might be better to raise an exception,
+         * instead. -exarkun
          */
         len = maxlen;
     }