The Fix
Upgrade to version 0.18.2 or later.
Based on closed encode/httpx issue #1670 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -897,32 +897,35 @@ def _send_handling_auth(
) -> Response:
auth_flow = auth.sync_auth_flow(request)
- request = next(auth_flow)
+ try:
+ request = next(auth_flow)
repro.py
_______________________________________________________________________ test_default_default_headers _______________________________________________________________________
@pytest.mark.asyncio
async def test_default_default_headers():
config = Config(app=app, loop="asyncio", limit_max_requests=1)
async with run_server(config):
async with httpx.AsyncClient() as client:
tests/test_default_headers.py:18:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
venv/lib/python3.10/site-packages/httpx/_client.py:1242: in __init__
self._transport = self._init_transport(
venv/lib/python3.10/site-packages/httpx/_client.py:1285: in _init_transport
ssl_context = create_ssl_context(verify=verify, cert=cert, trust_env=trust_env)
venv/lib/python3.10/site-packages/httpx/_config.py:49: in create_ssl_context
return SSLConfig(
venv/lib/python3.10/site-packages/httpx/_config.py:73: in __init__
self.ssl_context = self.load_ssl_context()
venv/lib/python3.10/site-packages/httpx/_config.py:85: in load_ssl_context
return self.load_ssl_context_verify()
venv/lib/python3.10/site-packages/httpx/_config.py:122: in load_ssl_context_verify
context = self._create_default_ssl_context()
venv/lib/python3.10/site-packages/httpx/_config.py:156: in _create_default_ssl_context
context = SSL.SSLContext(ssl.PROTOCOL_TLS)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
cls = <class 'ssl.SSLContext'>, protocol = ssl.PROTOCOL_TLS, args = (), kwargs = {}
def __new__(cls, protocol=None, *args, **kwargs):
if protocol is None:
warnings.warn(
"ssl module: "
"SSLContext() without protocol argument is deprecated.",
category=DeprecationWarning,
stacklevel=2
)
protocol = PROTOCOL_TLS
self = _SSLContext.__new__(cls, protocol)
E DeprecationWarning: ssl module: PROTOCOL_TLS is deprecated
/usr/lib/python3.10/ssl.py:501: DeprecationWarning
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.18.2 or later.\nWhen NOT to use: Do not use if it changes public behavior or if the failure cannot be reproduced.\n\n
Why This Fix Works in Production
- Trigger: uses deprecated ssl.PROTOCOL_TLS
- Mechanism: Replaces the deprecated ssl.PROTOCOL_TLS with ssl.PROTOCOL_TLS_CLIENT to address the deprecation warning in Python 3.10.
- Why the fix works: Replaces the deprecated ssl.PROTOCOL_TLS with ssl.PROTOCOL_TLS_CLIENT to address the deprecation warning in Python 3.10. (first fixed release: 0.18.2).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Shows up under Python 3.10 in real deployments (not just unit tests).
- Production symptom (often without a traceback): uses deprecated ssl.PROTOCOL_TLS
Proof / Evidence
- GitHub issue: #1670
- Fix PR: https://github.com/encode/httpx/pull/1687
- First fixed release: 0.18.2
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.39
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Could we start this off with a bit more context? I can see in the 3.10 release notes, that ssl.PROTOCOL_TLS becomes deprecated”
“> Please create a ticket on BPO. https://bugs.python.org/issue44362”
Failure Signature (Search String)
- uses deprecated ssl.PROTOCOL_TLS
- ssl_context = create_ssl_context(verify=verify, cert=cert, trust_env=trust_env)
Copy-friendly signature
signature.txt
Failure Signature
-----------------
uses deprecated ssl.PROTOCOL_TLS
ssl_context = create_ssl_context(verify=verify, cert=cert, trust_env=trust_env)
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
uses deprecated ssl.PROTOCOL_TLS
ssl_context = create_ssl_context(verify=verify, cert=cert, trust_env=trust_env)
Minimal Reproduction
repro.py
_______________________________________________________________________ test_default_default_headers _______________________________________________________________________
@pytest.mark.asyncio
async def test_default_default_headers():
config = Config(app=app, loop="asyncio", limit_max_requests=1)
async with run_server(config):
async with httpx.AsyncClient() as client:
tests/test_default_headers.py:18:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
venv/lib/python3.10/site-packages/httpx/_client.py:1242: in __init__
self._transport = self._init_transport(
venv/lib/python3.10/site-packages/httpx/_client.py:1285: in _init_transport
ssl_context = create_ssl_context(verify=verify, cert=cert, trust_env=trust_env)
venv/lib/python3.10/site-packages/httpx/_config.py:49: in create_ssl_context
return SSLConfig(
venv/lib/python3.10/site-packages/httpx/_config.py:73: in __init__
self.ssl_context = self.load_ssl_context()
venv/lib/python3.10/site-packages/httpx/_config.py:85: in load_ssl_context
return self.load_ssl_context_verify()
venv/lib/python3.10/site-packages/httpx/_config.py:122: in load_ssl_context_verify
context = self._create_default_ssl_context()
venv/lib/python3.10/site-packages/httpx/_config.py:156: in _create_default_ssl_context
context = SSL.SSLContext(ssl.PROTOCOL_TLS)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
cls = <class 'ssl.SSLContext'>, protocol = ssl.PROTOCOL_TLS, args = (), kwargs = {}
def __new__(cls, protocol=None, *args, **kwargs):
if protocol is None:
warnings.warn(
"ssl module: "
"SSLContext() without protocol argument is deprecated.",
category=DeprecationWarning,
stacklevel=2
)
protocol = PROTOCOL_TLS
self = _SSLContext.__new__(cls, protocol)
E DeprecationWarning: ssl module: PROTOCOL_TLS is deprecated
/usr/lib/python3.10/ssl.py:501: DeprecationWarning
Environment
- Python: 3.10
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.18.2 or later.
When NOT to use: Do not use if it changes public behavior or if the failure cannot be reproduced.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/encode/httpx/pull/1687
First fixed release: 0.18.2
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use if it changes public behavior or if the failure cannot be reproduced.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.18.2 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.