ssl.PROTOCOL_TLS_CLIENT was added in Python 3.6 related to support for OpenSSL 1.1. ssl.PROTOCOL_SSLv23 is now deprecated. Create SSLContext like this:

ctx = SSLContext(getattr(ssl, 'PROTOCOL_TLS_CLIENT', ssl.PROTOCOL_SSLv23))

Though PROTOCOL_TLS was added at the same time as PROTOCOL_TLS_CLIENT, http://bugs.python.org/issue28085 makes it clear that PROTOCOL_TLS won't be available for long, so we shouldn't use it.

PROTOCOL_TLS_CLIENT enables SSLContext.check_hostname by default. This causes the context object to call match_hostname in its do_handshake routine. We already call match_hostname ourselves when creating a new socket. We'll have to make sure match_hostname isn't being called twice, once by us and once by SSLContext.