The Fix
pip install requests==2.32.3
Based on closed psf/requests issue #6715 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -6,12 +6,14 @@ dev
- \[Short description of non-trivial change.\]
-2.32.3 (2024-05-24)
+2.32.3 (2024-05-29)
-------------------
repro.py
import ssl
import requests
from requests.adapters import HTTPAdapter
class SSLAdapter(HTTPAdapter):
"""An HTTPAdapter that uses an arbitrary SSL context."""
def __init__(self, ssl_context: ssl.SSLContext = None, **kwargs):
"""Initialize the SSLAdapter."""
super().__init__(**kwargs)
self.ssl_context = ssl_context
def build_connection_pool_key_attributes(
self,
request: requests.PreparedRequest,
verify: bool | str,
cert: str | tuple[str, str] | None = None,
) -> tuple[dict, dict]:
host_params, ssl_params = super().build_connection_pool_key_attributes(
request, verify, cert
)
if verify is True and self.ssl_context:
ssl_params["ssl_context"] = self.ssl_context
return host_params, ssl_params
if __name__ == "__main__":
# Create a custom SSL context
ssl_context = ssl._create_unverified_context()
ssl_context.set_ciphers("DEFAULT@SECLEVEL=2") # Adjusting the security level to support 2048 bit keys
# Example API call setup
username = "<admin>"
password = "<password>"
protocol = "https"
api_url = f"{protocol}://<host>/"
action = "<action>"
headers = {"Content-Type": "application/json"}
# Create a session with the SSLAdapter
session = requests.Session()
session.auth = (username, password)
session.mount(f"{protocol}://", SSLAdapter(ssl_context = ssl_context))
try:
response = session.get(api_url + action, timeout=15, headers=headers)
response.raise_for_status() # Raise an exception for HTTP errors
print("Response:", response.json())
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install requests==2.32.3\nWhen NOT to use: This fix is not applicable if the custom SSL context is misconfigured.\n\nOption C — Workaround\nseems to additionally disable certificate verification by setting verify to false.\nWhen NOT to use: This fix is not applicable if the custom SSL context is misconfigured.\n\n
Why This Fix Works in Production
- Trigger: SSLError: HTTPSConnectionPool(host=..., port=543): Max retries exceeded with url: ... (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]…
- Mechanism: The release of version 2.32.3 fixes the bug that broke the ability to specify custom SSLContexts in subclasses of HTTPAdapter, addressing the issue reported in #6715.
- Why the fix works: The release of version 2.32.3 fixes the bug that broke the ability to specify custom SSLContexts in subclasses of HTTPAdapter, addressing the issue reported in #6715. (first fixed release: 2.32.3).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Shows up under Python 3.10.12 in real deployments (not just unit tests).
- Surfaces as: SSLError: HTTPSConnectionPool(host=..., port=543): Max retries exceeded with url: ... (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake…
Proof / Evidence
- GitHub issue: #6715
- Fix PR: https://github.com/psf/requests/pull/6721
- First fixed release: 2.32.3
- Reproduced locally: No (not executed)
- Last verified: 2026-02-08
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.43
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“@nateprewitt this is a different side-effect of #6655”
“This is running on databricks using python 3.10.12.”
“We have a different error, but probably the same issue”
“You will need to fix your code but right now it's not easily doable”
Failure Signature (Search String)
- SSLError: HTTPSConnectionPool(host=..., port=543): Max retries exceeded with url: ... (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
Error Message
Stack trace
error.txt
Error Message
-------------
SSLError: HTTPSConnectionPool(host=..., port=543): Max retries exceeded with url: ... (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1007)')))
Minimal Reproduction
repro.py
import ssl
import requests
from requests.adapters import HTTPAdapter
class SSLAdapter(HTTPAdapter):
"""An HTTPAdapter that uses an arbitrary SSL context."""
def __init__(self, ssl_context: ssl.SSLContext = None, **kwargs):
"""Initialize the SSLAdapter."""
super().__init__(**kwargs)
self.ssl_context = ssl_context
def build_connection_pool_key_attributes(
self,
request: requests.PreparedRequest,
verify: bool | str,
cert: str | tuple[str, str] | None = None,
) -> tuple[dict, dict]:
host_params, ssl_params = super().build_connection_pool_key_attributes(
request, verify, cert
)
if verify is True and self.ssl_context:
ssl_params["ssl_context"] = self.ssl_context
return host_params, ssl_params
if __name__ == "__main__":
# Create a custom SSL context
ssl_context = ssl._create_unverified_context()
ssl_context.set_ciphers("DEFAULT@SECLEVEL=2") # Adjusting the security level to support 2048 bit keys
# Example API call setup
username = "<admin>"
password = "<password>"
protocol = "https"
api_url = f"{protocol}://<host>/"
action = "<action>"
headers = {"Content-Type": "application/json"}
# Create a session with the SSLAdapter
session = requests.Session()
session.auth = (username, password)
session.mount(f"{protocol}://", SSLAdapter(ssl_context = ssl_context))
try:
response = session.get(api_url + action, timeout=15, headers=headers)
response.raise_for_status() # Raise an exception for HTTP errors
print("Response:", response.json())
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
Environment
- Python: 3.10.12
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install requests==2.32.3
When NOT to use: This fix is not applicable if the custom SSL context is misconfigured.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Option C — Workaround Temporary workaround
seems to additionally disable certificate verification by setting verify to false.
When NOT to use: This fix is not applicable if the custom SSL context is misconfigured.
Use only if you cannot change versions today. Treat this as a stopgap and remove once upgraded.
Fix reference: https://github.com/psf/requests/pull/6721
First fixed release: 2.32.3
Last verified: 2026-02-08. Validate in your environment.
When NOT to Use This Fix
- This fix is not applicable if the custom SSL context is misconfigured.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
- Track RSS + object counts after deployments; alert on monotonic growth and GC pressure.
- Add a long-running test that repeats the failing call path and asserts stable memory.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.32.3 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.