From the output you supplied, you appear to be using Python 3.6.0 from the python.org macOS binary installer.  Please read the ReadMe.rtf file for the installer which should have been displayed when you installed Python 3.6; a copy of it is also installed in /Applications/Python 3.6.  You can read it by double-clicking on the icon in the Finder or by entering the following shell command:

open "/Applications/Python 3.6/ReadMe.rtf"

In it, the section on "Certificate verification and OpenSSL" notes that, as of the 3.6.0 installer, the Python supplied no longer links with the deprecated Apple-supplied system OpenSSL libraries but rather supplies a private copy of OpenSSL 1.0.2 which does not automatically access the system default root certificates.  "For 3.6.0, a sample command script is included in /Applications/Python 3.6 to install a curated bundle of default root certificates from the third-party certifi package (https://pypi.python.org/pypi/certifi).  If you choose to use certifi, you should consider subscribing to the project's email update service to be notified when the certificate bundle is updated."  You can run the command script by double-clicking on it or by entering the shell command:

open "/Applications/Python 3.6/Install Certificates.command"

If necessary, you can adapt the script for other options rather than using the certifi-supplied bundle.  For later releases, other standard options will likely be provided.

I don't understand your comment that using the system openssl command doesn't work, e.g. "openssl s_client -connect www.python.org:443".  The output you supply appears to show it working as expected.  But, in any case, that's not relevant to the Python 3.6 usage as different OpenSSL versions and libraries are being used.

Also note that this description only applies to the Python 3.6 supplied by the python.org macOS installer.  mscOS Pythons supplied by third-party distributors likely link with each distributor's version of OpenSSL and follow their root certificate policies.