Jump to solution
Verify

httpx HTTPS proxies support (Fix)

Fixed
Spec
Package
httpx
Fixed In
0.25.0
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.56
#1434 ai tls Updated: 2026-02-13
Issue #1434

The Fix

Upgrade to version 0.25.0 or later.

Based on closed encode/httpx issue #1434 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Added +* Support HTTPS proxies. (#2845) * Change the type of `Extensions` from `Mapping[Str, Any]` to `MutableMapping[Str, Any]`. (#2803) * Add `socket_options` argument to `httpx.HTTPTransport` and `httpx.AsyncHTTPTransport` classes. (#2716)
repro.py
import certifi import urllib3 from urllib3.util.ssl_ import create_urllib3_context proxy_ssl_context = create_urllib3_context() proxy_ssl_context.load_verify_locations("client.pem") http = urllib3.ProxyManager( 'https://127.0.0.1:6000/', ca_certs=certifi.where(), proxy_ssl_context=proxy_ssl_context ) r = http.request('GET', 'https://example.com/', retries=False) print(r.status)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.25.0 or later.\nWhen NOT to use: This fix is not suitable for non-HTTPS proxy configurations.\n\n

Why This Fix Works in Production

  • Trigger: * HTTPS proxy: a proxy server that supports connecting to it via HTTPS. Only HTTPS requests are supported, and _must_ (?) be tunneled (TLS-in-TLS). — This is…
  • Mechanism: HTTPX does not properly support HTTPS proxies, lacking the necessary TLS-in-TLS implementation
  • Why the fix works: Adds support for HTTPS proxies in httpx by providing an API for the feature now supported by httpcore. (first fixed release: 0.25.0).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • HTTPX does not properly support HTTPS proxies, lacking the necessary TLS-in-TLS implementation
  • Production symptom (often without a traceback): * HTTPS proxy: a proxy server that supports connecting to it via HTTPS. Only HTTPS requests are supported, and _must_ (?) be tunneled (TLS-in-TLS). — This is what seems to be missing still. :x:

Proof / Evidence

  • GitHub issue: #1434
  • Fix PR: https://github.com/encode/httpx/pull/2845
  • First fixed release: 0.25.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.56

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“@ech0-py Well, then it seems like you *don't* want to use proxies in that case? Just send a request to the target host, as you…”
@florimondmanca · 2020-12-22 · confirmation · source
“If it helps in any way, we have added secure proxies support in the latest version of httpx-socks”
@romis2012 · 2021-11-25 · source
“@florimondmanca I think you're right. But in such case I need to setup NSS (nsswitch.conf) at least which requires sudo. Is it ok to continue…”
@ech0-py · 2020-12-22 · source
“i am working on this.Made fair progress .Will raise pr in next 1-2 weeks for sure.The tls-in-tls concept is roughly working.”
@thisisamardeep · 2021-10-30 · source

Failure Signature (Search String)

  • * HTTPS proxy: a proxy server that supports connecting to it via HTTPS. Only HTTPS requests are supported, and _must_ (?) be tunneled (TLS-in-TLS). — This is what seems to be
  • We've seen reports of issues recently such as #1424 and #1428 that reveal that our proxies implementation does not properly support HTTPS proxies yet.
Copy-friendly signature
signature.txt
Failure Signature ----------------- * HTTPS proxy: a proxy server that supports connecting to it via HTTPS. Only HTTPS requests are supported, and _must_ (?) be tunneled (TLS-in-TLS). — This is what seems to be missing still. :x: We've seen reports of issues recently such as #1424 and #1428 that reveal that our proxies implementation does not properly support HTTPS proxies yet.

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- * HTTPS proxy: a proxy server that supports connecting to it via HTTPS. Only HTTPS requests are supported, and _must_ (?) be tunneled (TLS-in-TLS). — This is what seems to be missing still. :x: We've seen reports of issues recently such as #1424 and #1428 that reveal that our proxies implementation does not properly support HTTPS proxies yet.

Minimal Reproduction

repro.py
import certifi import urllib3 from urllib3.util.ssl_ import create_urllib3_context proxy_ssl_context = create_urllib3_context() proxy_ssl_context.load_verify_locations("client.pem") http = urllib3.ProxyManager( 'https://127.0.0.1:6000/', ca_certs=certifi.where(), proxy_ssl_context=proxy_ssl_context ) r = http.request('GET', 'https://example.com/', retries=False) print(r.status)

What Broke

Clients experience failures when attempting to connect to HTTPS proxies, resulting in connection errors.

Why It Broke

HTTPX does not properly support HTTPS proxies, lacking the necessary TLS-in-TLS implementation

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

Upgrade to version 0.25.0 or later.

When NOT to use: This fix is not suitable for non-HTTPS proxy configurations.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/encode/httpx/pull/2845

First fixed release: 0.25.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix is not suitable for non-HTTPS proxy configurations.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
0.25.0 Fixed

Related Issues

No related fixes found.

Cluster: httpx:configuration-error All hubs All clusters
Related clusters: Data consistency Other Timeout

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1434. Not affiliated with the library maintainers. Verify before production use.