The Fix
Upgrade to version 0.13.0 or later.
Based on closed encode/httpx issue #782 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -95,18 +95,9 @@ await client.post(url, data=upload_bytes())
HTTPX supports either `asyncio` or `trio` as an async environment.
-By default it will auto-detect which of those two to use as the backend
+It will auto-detect which of those two to use as the backend
for socket operations and concurrency primitives.
repro.py
from httpx._backend.auto import AutoBackend
from httpx._dispatch.connection_pool import ConnectionPool
class CustomBackend(AutoBackend):
async def open_tcp_stream(
self,
hostname: str,
port: int,
ssl_context: typing.Optional[ssl.SSLContext],
timeout: Timeout,
) -> BaseSocketStream:
value = await super().open_tcp_stream(hostname, port, ssl_context, timeout)
# use value.stream_reader._transport.get_extra_info('ssl_object')
return value
async def f(*args, **kwargs):
backend = CustomBackend()
dispatch = ConnectionPool(backend=backend, http2=True)
async with AsyncClient(dispatch=dispatch) as client:
....
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.13.0 or later.\nWhen NOT to use: This fix is not suitable for users relying on custom backend implementations.\n\n
Why This Fix Works in Production
- Trigger: This backend behaves as a proxy to a real backend, but record the ssl.SSLObject on the way.
- Mechanism: The `backend` argument was unnecessary due to async autodetection
- Why the fix works: Dropped the `backend` parameter from `AsyncClient.__init__`, simplifying the API as autodetection is now the default behavior. (first fixed release: 0.13.0).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The `backend` argument was unnecessary due to async autodetection
- Production symptom (often without a traceback): This backend behaves as a proxy to a real backend, but record the ssl.SSLObject on the way.
Proof / Evidence
- GitHub issue: #782
- Fix PR: https://github.com/encode/httpx/pull/791
- First fixed release: 0.13.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.55
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Note: I use a custom Backend to record the certificates of the HTTPS requests”
“@dalf - That's a really useful (surprising) bit of feedback, thanks! (And yes, you've got the right approach there, but make sure you're pinning your…”
Failure Signature (Search String)
- This backend behaves as a proxy to a real backend, but record the ssl.SSLObject on the way.
- * https://github.com/dalf/searx-stats2/blob/master/searxstats/common/ssl_info.py#L85
Copy-friendly signature
signature.txt
Failure Signature
-----------------
This backend behaves as a proxy to a real backend, but record the ssl.SSLObject on the way.
* https://github.com/dalf/searx-stats2/blob/master/searxstats/common/ssl_info.py#L85
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
This backend behaves as a proxy to a real backend, but record the ssl.SSLObject on the way.
* https://github.com/dalf/searx-stats2/blob/master/searxstats/common/ssl_info.py#L85
Minimal Reproduction
repro.py
from httpx._backend.auto import AutoBackend
from httpx._dispatch.connection_pool import ConnectionPool
class CustomBackend(AutoBackend):
async def open_tcp_stream(
self,
hostname: str,
port: int,
ssl_context: typing.Optional[ssl.SSLContext],
timeout: Timeout,
) -> BaseSocketStream:
value = await super().open_tcp_stream(hostname, port, ssl_context, timeout)
# use value.stream_reader._transport.get_extra_info('ssl_object')
return value
async def f(*args, **kwargs):
backend = CustomBackend()
dispatch = ConnectionPool(backend=backend, http2=True)
async with AsyncClient(dispatch=dispatch) as client:
....
What Broke
Users experienced confusion and potential misuse of the `backend` argument.
Why It Broke
The `backend` argument was unnecessary due to async autodetection
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.13.0 or later.
When NOT to use: This fix is not suitable for users relying on custom backend implementations.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Option D — Guard side-effects with OnceOnly Guardrail for side-effects
Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.
- Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
- Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
- Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.
Show example snippet (optional)
onceonly.py
from onceonly import OnceOnly
import os
once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)
# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..." # replace
key = f"stripe:webhook:{event_id}"
res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
return {"status": "already_processed"}
# Safe to execute the side-effect exactly once.
handle_event(event_id)
When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Fix reference: https://github.com/encode/httpx/pull/791
First fixed release: 0.13.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix is not suitable for users relying on custom backend implementations.
- Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.13.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.