Jump to solution
Verify

Requests Requests 2.0.0 breaks SSL proxying via https_port of Squid. (Fix)

Fixed
Spec
Package
Requests
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-04
Own content ratio
0.59
#1622 ai llm tls Updated: 2026-02-13
Issue #1622

The Fix

This is **not** the expected result, because doing `GET` to an HTTPS resource via a proxy is just wrong (which was fixed in requests 2.x).

Based on closed psf/requests issue #1622

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify
repro.py
import unittest import requests PROXY_HOST = 'localhost' PROXY_HTTP_PORT = 3128 PROXY_HTTPS_PORT = 3129 REMOTE_URL = 'https://pypi.python.org/pypi' class TestProxyingOfSSLRequests(unittest.TestCase): def test_proxy_via_squid_https_port_with_https_scheme(self): proxies = { 'https': 'https://%s:%s' % (PROXY_HOST, PROXY_HTTPS_PORT) } response = requests.get(REMOTE_URL, proxies=proxies) self.assertTrue(len(response.content) != 0) if __name__ == '__main__': unittest.main()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Apply the official fix\nThis is **not** the expected result, because doing `GET` to an HTTPS resource via a proxy is just wrong (which was fixed in requests 2.x).\nWhen NOT to use: Do not use if it changes public behavior or if the failure cannot be reproduced.\n\n

Why This Fix Works in Production

  • Trigger: Requests 2.0.0 breaks SSL proxying via https_port of Squid.
  • Mechanism: This is **not** the expected result, because doing `GET` to an HTTPS resource via a proxy is just wrong (which was fixed in requests 2.x).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Production symptom (often without a traceback): Requests 2.0.0 breaks SSL proxying via https_port of Squid.

Proof / Evidence

  • GitHub issue: #1622
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-04
  • Confidence: 0.00
  • Did this fix it?: No (no upstream fix linked)
  • Own content ratio: 0.59

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Unless someone else beats me to it, I'll probably take a look at duplicating this weekend. I have pretty much no context on the proxy…”
@sigmavirus24 · 2013-09-25 · source
“This is a good catch, and thanks so much for the bug report”
@Lukasa · 2013-09-25 · source
“@GrahamDumpleton Could you please run these tests against plain urllib3, too (see https://gist.github.com/schlamar/5080598#file-test_proxy-py for example code)?”
@schlamar · 2013-09-25 · source
“Out of interest, why can't we send CONNECT over the SSL connection to the squid proxy? That feels like it's probably the right thing to…”
@Lukasa · 2013-09-25 · source

Failure Signature (Search String)

  • Requests 2.0.0 breaks SSL proxying via https_port of Squid.
  • https_port 3129 cert=/usr/local/opt/squid/etc/ssl/squid.crt key=/usr/local/opt/squid/etc/ssl/squid.key
Copy-friendly signature
signature.txt
Failure Signature ----------------- Requests 2.0.0 breaks SSL proxying via https_port of Squid. https_port 3129 cert=/usr/local/opt/squid/etc/ssl/squid.crt key=/usr/local/opt/squid/etc/ssl/squid.key

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Requests 2.0.0 breaks SSL proxying via https_port of Squid. https_port 3129 cert=/usr/local/opt/squid/etc/ssl/squid.crt key=/usr/local/opt/squid/etc/ssl/squid.key

Minimal Reproduction

repro.py
import unittest import requests PROXY_HOST = 'localhost' PROXY_HTTP_PORT = 3128 PROXY_HTTPS_PORT = 3129 REMOTE_URL = 'https://pypi.python.org/pypi' class TestProxyingOfSSLRequests(unittest.TestCase): def test_proxy_via_squid_https_port_with_https_scheme(self): proxies = { 'https': 'https://%s:%s' % (PROXY_HOST, PROXY_HTTPS_PORT) } response = requests.get(REMOTE_URL, proxies=proxies) self.assertTrue(len(response.content) != 0) if __name__ == '__main__': unittest.main()

Fix Options (Details)

Option A — Apply the official fix

This is **not** the expected result, because doing `GET` to an HTTPS resource via a proxy is just wrong (which was fixed in requests 2.x).

When NOT to use: Do not use if it changes public behavior or if the failure cannot be reproduced.

Fix reference: https://github.com/psf/requests/issues/1622

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use if it changes public behavior or if the failure cannot be reproduced.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Related Issues

No related fixes found.

Cluster: requests:configuration-error Requests hub Requests best practices All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1622. Not affiliated with the library maintainers. Verify before production use.