The Fix
pip install requests==2.27.0
Based on closed psf/requests issue #5846 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -3,4 +3,5 @@ pytest-cov
pytest-mock==2.0.0
httpbin==0.7.0
+Flask>=1.0,<2.0
wheel
Steps
Follow the reproduction steps, confirm the failure, apply the fix, and repeat the same steps to verify the behavior changes.
Option A — Upgrade to fixed release\npip install requests==2.27.0\nWhen NOT to use: Do not use if it changes public behavior or if the failure cannot be reproduced.\n\n
Why This Fix Works in Production
- Trigger: TestRequests.test_pyopenssl_redirect is broken in CI
- Mechanism: Fixes the test suite on master by pinning Flask to a version below 2.0, addressing compatibility issues with the tests.
- Why the fix works: Fixes the test suite on master by pinning Flask to a version below 2.0, addressing compatibility issues with the tests. (first fixed release: 2.27.0).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Triggered by an upgrade/regression window: 3.6 breaks; 2.27.0 is the first fixed release.
- Shows up under Python 3.6 in real deployments (not just unit tests).
- Production symptom (often without a traceback): TestRequests.test_pyopenssl_redirect is broken in CI
Proof / Evidence
- GitHub issue: #5846
- Fix PR: https://github.com/psf/requests/pull/5859
- First fixed release: 2.27.0
- Affected versions: 3.6
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.84
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Thanks @davidism! It appears to only be one test that's broken around pyopenssl”
“If anyone can formulate a standalone minimal example, I can try to help debug it.”
“I work on the Python packaging team for SUSE, and I've been trying to nail down this issue myself”
“Thanks @nateprewitt and @s-t-e-v-e-n-k! So that explains why this works in Python 2.7 and Python 3.5: werkzeug 2 does not support those versions”
Failure Signature (Search String)
- TestRequests.test_pyopenssl_redirect is broken in CI
Copy-friendly signature
Failure Signature
-----------------
TestRequests.test_pyopenssl_redirect is broken in CI
TestRequests.test_pyopenssl_redirect is broken in CI.
Error Message
Signature-only (no traceback captured)
Error Message
-------------
TestRequests.test_pyopenssl_redirect is broken in CI
TestRequests.test_pyopenssl_redirect is broken in CI.
Minimal Reproduction
- Steps
Environment
- Python: 3.6
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install requests==2.27.0
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/psf/requests/pull/5859
First fixed release: 2.27.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use if it changes public behavior or if the failure cannot be reproduced.
Verify Fix
Follow the reproduction steps, confirm the failure, apply the fix, and repeat the same steps to verify the behavior changes.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 3.6 | Broken |
| 2.27.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.