Context

Add option to prefer stdlib ssl over pyopenssl. Currently pymongo always attempts to use pyopenssl when it's installed which is not always what the user wants. See https://github.com/mongodb/mongo-python-driver/pull/1666 :

Another problem remains: if an older version of PyOpenSSL is already installed by anything else than pip install "pymongo[ocsp]", the ssl_support.py still defaults to using pymongo.pyopenssl_context over pymongo.ssl_context (standard library SSL). Instead of blindly importing pyOpenSSL, ssl_support.py should be able to check whether the installed version meets the requirements. Any suggestions on how this should be checked?

Definition of done

Perhaps something like:

MongoClient(tlsLib="stdlib") # Only uses ssl module
MongoClient(tlsLib="pyopenssl") # Only uses pyopenssl module
MongoClient(tlsLib="pyopenssl,stdlib")  # Uses pyopenssl is installed, falls back to stdlib ssl.

Alternatively we could make this configurable via an environment variable:

$ PYMONGO_TLS_LIB=ssl python app.py

The API should be able to accommodate a future where we add a new TLS implementation using another library.

Pitfalls

Currently, the fact that we use pyopenssl is just an implementation detail but after this change it will leak into the API.