The Fix
Upgrade to version 0.7.3 or later.
Based on closed encode/httpx issue #376 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -107,13 +107,6 @@ def __init__(
self.base_url = URL(base_url)
- if proxies is None and trust_env:
- proxies = typing.cast(ProxiesTypes, get_environment_proxies())
-
repro.py
import httpx
client = httpx.Client(proxies={
"http": "http://192.168.1.78:8888",
"https": "http://192.168.1.78:8888",
})
client_cer = r'C:\Users\localhost\Documents\123.pem'
request = client.get("http://whoer.net",verify=client_cer)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.7.3 or later.\nWhen NOT to use: This fix should not be used if the proxy does not support certificate verification.\n\n
Why This Fix Works in Production
- Trigger: SSL handshake failed on verifying the certificate
- Mechanism: The Client configuration was not properly propagated to the HTTPProxy, causing certificate verification to fail
- Why the fix works: Propagates the Client configuration to the HTTPProxy, ensuring that certificates specified via the 'verify' parameter are correctly utilized. (first fixed release: 0.7.3).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The Client configuration was not properly propagated to the HTTPProxy, causing certificate verification to fail
- Surfaces as: SSL handshake failed on verifying the certificate
Proof / Evidence
- GitHub issue: #376
- Fix PR: https://github.com/encode/httpx/pull/377
- First fixed release: 0.7.3
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.30
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“how i can make sure my code is going through line 129 with my client_cer variable? Im not experienced coding but if you tell me…”
“Could you try running that script with HTTPX_DEBUG=1 set as an environment variable? I can't see why TLS would be getting used unless the website…”
“Like this: $ HTTPX_DEBUG=1 python run_script.py from the command line.”
“i dont know if i did it good i did in windows machine, i can send you certificate if you want or whatever. cmd /c…”
Failure Signature (Search String)
- SSL handshake failed on verifying the certificate
Error Message
Stack trace
error.txt
Error Message
-------------
SSL handshake failed on verifying the certificate
protocol: <asyncio.sslproto.SSLProtocol object at 0x0000020CDCD7E470>
transport: <_SelectorSocketTransport fd=768 read=polling write=<idle, bufsize=0>>
Traceback (most recent call last):
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\asyncio\sslproto.py", line 625, in _on_handshake_complete
raise handshake_exc
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\asyncio\sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\ssl.py", line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)
SSL error in data received
protocol: <asyncio.sslproto.SSLProtocol object at 0x0000020CDCD7E470>
transport: <_SelectorSocketTransport closing fd=768 read=idle write=<idle, bufsize=0>>
Traceback (most recent call last):
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\asyncio\sslproto.py", line 526, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\asyncio\sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "C:\Users\localhost\AppD
... (truncated) ...
Stack trace
error.txt
Error Message
-------------
C:\Users\localhost\PycharmProjects\TribalW_Test_Env\Basic\network\client>cmd /c "set HTTPX_DEBUG=1 && python C:\Users\localhost\PycharmProjects\TribalW_Test_Env\Basic\tests\httpx\proxy_test.py"
SSL handshake failed on verifying the certificate
protocol: <asyncio.sslproto.SSLProtocol object at 0x000001261B0329E8>
transport: <_SelectorSocketTransport fd=636 read=polling write=<idle, bufsize=0>>
Traceback (most recent call last):
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\asyncio\sslproto.py", line 625, in _on_handshake_complete
raise handshake_exc
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\asyncio\sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\ssl.py", line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)
SSL error in data received
protocol: <asyncio.sslproto.SSLProtocol object at 0x000001261B0329E8>
transport: <_SelectorSocketTransport closing fd=636 read=idle write=<idle, bufsize=0>>
Traceback (most recent call last):
File "C:\Users\localhost\AppData\Local\Programs\Python\Python37\lib\asyncio\sslproto.py", line 526, in data_received
ssldata, appdata = self._sslpipe.feed_
... (truncated) ...
Minimal Reproduction
repro.py
import httpx
client = httpx.Client(proxies={
"http": "http://192.168.1.78:8888",
"https": "http://192.168.1.78:8888",
})
client_cer = r'C:\Users\localhost\Documents\123.pem'
request = client.get("http://whoer.net",verify=client_cer)
What Broke
Users experienced SSL handshake failures when attempting to verify certificates through a proxy.
Why It Broke
The Client configuration was not properly propagated to the HTTPProxy, causing certificate verification to fail
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.7.3 or later.
When NOT to use: This fix should not be used if the proxy does not support certificate verification.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/encode/httpx/pull/377
First fixed release: 0.7.3
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if the proxy does not support certificate verification.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.7.3 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.