Jump to solution
Verify

httpx ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:852) (Fix)

Fixed
Spec
Package
httpx
Fixed In
0.13.0
Python
3.6
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.40
#646 ai retries timeouts tls Idempotency Violation Updated: 2026-02-13
Issue #646

The Fix

Upgrade to version 0.13.0 or later.

Based on closed encode/httpx issue #646 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -338,7 +338,8 @@ def merge_url(self, url: URLTypes) -> URL: url = self.base_url.join(relative_url=url) if url.scheme == "http" and hstspreload.in_hsts_preload(url.host): - url = url.copy_with(scheme="https") + port = None if url.port == 80 else url.port + url = url.copy_with(scheme="https", port=port)
repro.py
TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - acquire_connection origin=Origin(scheme='https' host='109.169.53.101' port=80) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - new_connection connection=HTTPConnection(origin=Origin(scheme='https' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.config - load_ssl_context verify=False cert=None trust_env=True http2=True TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - start_connect tcp host='109.169.53.101' port=80 timeout=Timeout(timeout=40) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - acquire_connection origin=Origin(scheme='http' host='109.169.53.101' port=80) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - new_connection connection=HTTPConnection(origin=Origin(scheme='http' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - start_connect tcp host='109.169.53.101' port=80 timeout=Timeout(timeout=40) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - connected http_version='HTTP/1.1' TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - send_headers method='GET' target='/' headers=Headers({'host': '109.169.53.101:80', 'accept': '*/*', 'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36'}) TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=NEED_DATA TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=Response(status_code=301, headers=[(b'date', b'Wed, 18 Dec 2019 11:26:41 GMT'), (b'server', b'Apache/2.4.29'), (b'location', b'https://109.169.53.101:80/'), (b'content-length', b'234'), (b'keep-alive', b'timeout=5, max=100'), (b'connection', b'Keep-Alive'), (b'content-type', b'text/html; charset=iso-8859-1')], http_version=b'1.1', reason=b'Moved Permanently') DEBUG [2019-12-18 11:26:41] httpx.client - HTTP Request: GET http://109.169.53.101:80 "HTTP/1.1 301 Moved Permanently" TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=Data(<234 bytes>) TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=EndOfMessage(headers=[]) TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - response_closed our_state=DONE their_state=DONE TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - release_connection connection=HTTPConnection(origin=Origin(scheme='http' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - acquire_connection origin=Origin(scheme='https' host='109.169.53.101' port=80) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - new_connection connection=HTTPConnection(origin=Origin(scheme='https' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.config - load_ssl_context verify=False cert=None trust_env=True http2=True TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - start_connect tcp host='109.169.53.101' port=80 timeout=Timeout(timeout=40) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - close_connection TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - send_event event=ConnectionClosed()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.13.0 or later.\nWhen NOT to use: This fix should not be applied if the application requires strict port handling for security.\n\n

Why This Fix Works in Production

  • Trigger: ret = fn(*args)
  • Mechanism: The issue arises from incorrect handling of the default port during HTTPS redirection
  • Why the fix works: Fixes issues with the Host header and HSTS when the default port is included in the URL, addressing incorrect redirect behavior. (first fixed release: 0.13.0).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.6 in real deployments (not just unit tests).
  • The issue arises from incorrect handling of the default port during HTTPS redirection
  • Surfaces as: Traceback (most recent call last):

Proof / Evidence

  • GitHub issue: #646
  • Fix PR: https://github.com/encode/httpx/pull/649
  • First fixed release: 0.13.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.75
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.40

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Not seems that, no. Does it reproduce on asyncio too? Does it reproduce if connecting to https directly, rather than the redirect you mention? Is…”
@lovelydinosaur · 2019-12-18 · source
“@freis Is it the entire traceback? The more details we get on what happened exactly, the easier it is to debug. :-) Also, you can…”
@florimondmanca · 2019-12-18 · source
“Also, it might just be that the error you're encountering is just what it says: the server is trying to use an SSL/TLS version we…”
@florimondmanca · 2019-12-18 · source
“Hello all thanks for your responses”
@freis · 2019-12-18 · source

Failure Signature (Search String)

  • ret = fn(*args)

Error Message

Stack trace
error.txt
Error Message ------------- Traceback (most recent call last): File "/home/project/lib/python3.6/site-packages/trio/_ssl.py", line 466, in _retry ret = fn(*args) File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:852)

Minimal Reproduction

repro.py
TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - acquire_connection origin=Origin(scheme='https' host='109.169.53.101' port=80) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - new_connection connection=HTTPConnection(origin=Origin(scheme='https' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.config - load_ssl_context verify=False cert=None trust_env=True http2=True TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - start_connect tcp host='109.169.53.101' port=80 timeout=Timeout(timeout=40) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - acquire_connection origin=Origin(scheme='http' host='109.169.53.101' port=80) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - new_connection connection=HTTPConnection(origin=Origin(scheme='http' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - start_connect tcp host='109.169.53.101' port=80 timeout=Timeout(timeout=40) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - connected http_version='HTTP/1.1' TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - send_headers method='GET' target='/' headers=Headers({'host': '109.169.53.101:80', 'accept': '*/*', 'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36'}) TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=NEED_DATA TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=Response(status_code=301, headers=[(b'date', b'Wed, 18 Dec 2019 11:26:41 GMT'), (b'server', b'Apache/2.4.29'), (b'location', b'https://109.169.53.101:80/'), (b'content-length', b'234'), (b'keep-alive', b'timeout=5, max=100'), (b'connection', b'Keep-Alive'), (b'content-type', b'text/html; charset=iso-8859-1')], http_version=b'1.1', reason=b'Moved Permanently') DEBUG [2019-12-18 11:26:41] httpx.client - HTTP Request: GET http://109.169.53.101:80 "HTTP/1.1 301 Moved Permanently" TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=Data(<234 bytes>) TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - receive_event event=EndOfMessage(headers=[]) TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - response_closed our_state=DONE their_state=DONE TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - release_connection connection=HTTPConnection(origin=Origin(scheme='http' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - acquire_connection origin=Origin(scheme='https' host='109.169.53.101' port=80) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection_pool - new_connection connection=HTTPConnection(origin=Origin(scheme='https' host='109.169.53.101' port=80)) TRACE [2019-12-18 11:26:41] httpx.config - load_ssl_context verify=False cert=None trust_env=True http2=True TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - start_connect tcp host='109.169.53.101' port=80 timeout=Timeout(timeout=40) TRACE [2019-12-18 11:26:41] httpx.dispatch.connection - close_connection TRACE [2019-12-18 11:26:41] httpx.dispatch.http11 - send_event event=ConnectionClosed()

Environment

  • Python: 3.6

What Broke

Users experience SSL errors when accessing HTTP URLs that redirect to HTTPS.

Why It Broke

The issue arises from incorrect handling of the default port during HTTPS redirection

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

Upgrade to version 0.13.0 or later.

When NOT to use: This fix should not be applied if the application requires strict port handling for security.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/encode/httpx/pull/649

First fixed release: 0.13.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be applied if the application requires strict port handling for security.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
0.13.0 Fixed

Related Issues

No related fixes found.

Cluster: httpx:configuration-error All hubs All clusters
Related clusters: Data consistency Other Timeout

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #646. Not affiliated with the library maintainers. Verify before production use.