The discussion in http://bugs.python.org/issue28022 makes it clear that ssl.wrap_socket will be changed in a backward breaking way or removed completely in a forthcoming python release. PyMongo 2.x uses that function for TLS support with all Python versions. We should use ssl.SSLContext when it's available and our fake SSLContext from PyMongo 3.x when it's not.

ssl.PROTOCOL_TLS_CLIENT was added in Python 3.6 related to support for OpenSSL 1.1. ssl.PROTOCOL_SSLv23 is now deprecated. Create SSLContext like this:

ctx = SSLContext(getattr(ssl, 'PROTOCOL_TLS_CLIENT', ssl.PROTOCOL_SSLv23))

Though PROTOCOL_TLS was added at the same time as PROTOCOL_TLS_CLIENT, http://bugs.python.org/issue28085 makes it clear that PROTOCOL_TLS won't be available for long, so we shouldn't use it.

PROTOCOL_TLS_CLIENT enables a number of features by default that PyMongo 2.x has disabled by default . We have to ensure that we don't change behavior when using PROTOCOL_TLS_CLIENT.

PROTOCOL_TLS_CLIENT enables SSLContext.check_hostname by default. This causes the context object to call match_hostname in its do_handshake routine. It also forces the use of SNI. We already call match_hostname ourselves when creating a new socket. We'll have to make sure match_hostname isn't being called twice, once by us and once by SSLContext.