PYTHON-2578 Improve clarity of TLS settings for KMS requests (#567)

Note that cert_reqs=None and cert_reqs=CERT_REQUIRED are identical
so this does not change any behavior.

(cherry picked from commit c15028a)

Author: ShaneHarvey

pymongo/encryption.py

@@ -49,11 +49,15 @@
 from pymongo.mongo_client import MongoClient
 from pymongo.pool import _configured_socket, PoolOptions
 from pymongo.read_concern import ReadConcern
-from pymongo.ssl_support import get_ssl_context
+from pymongo.ssl_support import get_ssl_context, HAVE_SSL
 from pymongo.uri_parser import parse_host
 from pymongo.write_concern import WriteConcern
 from pymongo.daemon import _spawn_daemon
 
+if HAVE_SSL:
+    from ssl import CERT_REQUIRED
+else:
+    CERT_REQUIRED = None
 
 _HTTPS_PORT = 443
 _KMS_CONNECT_TIMEOUT = 10  # TODO: CDRIVER-3262 will define this value.
@@ -107,7 +111,17 @@ def kms_request(self, kms_context):
         endpoint = kms_context.endpoint
         message = kms_context.message
         host, port = parse_host(endpoint, _HTTPS_PORT)
-        ctx = get_ssl_context(None, None, None, None, None, None, True, True)
+        # Enable strict certificate verification, OCSP, match hostname, and
+        # SNI using the system default CA certificates.
+        ctx = get_ssl_context(
+            None,  # certfile
+            None,  # keyfile
+            None,  # passphrase
+            None,  # ca_certs
+            CERT_REQUIRED,  # cert_reqs
+            None,  # crlfile
+            True,  # match_hostname
+            True)  # check_ocsp_endpoint
         opts = PoolOptions(connect_timeout=_KMS_CONNECT_TIMEOUT,
                            socket_timeout=_KMS_CONNECT_TIMEOUT,
                            ssl_context=ctx)