Jump to solution
Verify

urllib3 when connecting to https by IP address, client hello message has a server_name SNI block (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.25
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-09
Own content ratio
0.46
#1224 ai tls webhooks Updated: 2026-02-13
Issue #1224

The Fix

pip install urllib3==1.25

Based on closed urllib3/urllib3 issue #1224 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -0,0 +1,73 @@ @@ -0,0 +1,73 @@ +import mock +import pytest +from six import b
repro.py
Frame 31: 571 bytes on wire (4568 bits), 571 bytes captured (4568 bits) on interface 0 Ethernet II, Src: BizlinkK_XX:XX:XX (9c:eb:e8:XX:XX:XX), Dst: JuniperN_XX:XX:XX (08:81:f4:XX:XX:XX) Internet Protocol Version 4, Src: 192.168.89.18, Dst: 8.8.8.8 Transmission Control Protocol, Src Port: 1156, Dst Port: 443, Seq: 1, Ack: 1, Len: 517 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 508 Version: TLS 1.2 (0x0303) Random Session ID Length: 0 Cipher Suites Length: 148 Cipher Suites (74 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 319 Extension: server_name Type: server_name (0x0000) Length: 12 Server Name Indication extension Server Name list length: 10 Server Name Type: host_name (0) Server Name length: 7 Server Name: 8.8.8.8 Extension: ec_point_formats Extension: elliptic_curves Extension: SessionTicket TLS Extension: signature_algorithms Extension: Heartbeat Extension: Padding
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: This fix should not be used if the server requires SNI for IP addresses.\n\n

Why This Fix Works in Production

  • Trigger: TLSv1.2 Record Layer: Handshake Protocol: Client Hello
  • Mechanism: The SSL client hello incorrectly includes an IP address in the server_name extension, violating the SNI specification
  • Why the fix works: Prevents the use of SNI when connecting to an IP address, addressing a known bug in Python's SSL module. (first fixed release: 1.25).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • The SSL client hello incorrectly includes an IP address in the server_name extension, violating the SNI specification
  • Production symptom (often without a traceback): TLSv1.2 Record Layer: Handshake Protocol: Client Hello

Proof / Evidence

  • GitHub issue: #1224
  • Fix PR: https://github.com/urllib3/urllib3/pull/1350
  • First fixed release: 1.25
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.95
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.46

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“We're hitting this in pywinrm/Ansible as well if SNI is enabled”
@nitzmahone · 2017-11-29 · source
“This is a known bug in Python's ssl module. I'll fix it for 3.7 as soon as I can drop support for OpenSSL < 1.0.2.…”
@tiran · 2017-11-29 · source
“@nitzmahone In #1287 you wrote that SNI IP address is causing connection abort with Windows' http.sys. I didn't know that the issue can cause connection…”
@tiran · 2017-11-30 · source
“@tiran done: https://bugs.python.org/issue32185 - I see it's already been default-assigned to you :D”
@nitzmahone · 2017-11-30 · source

Failure Signature (Search String)

  • TLSv1.2 Record Layer: Handshake Protocol: Client Hello
  • Content Type: Handshake (22)
Copy-friendly signature
signature.txt
Failure Signature ----------------- TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22)

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22)

Minimal Reproduction

repro.py
Frame 31: 571 bytes on wire (4568 bits), 571 bytes captured (4568 bits) on interface 0 Ethernet II, Src: BizlinkK_XX:XX:XX (9c:eb:e8:XX:XX:XX), Dst: JuniperN_XX:XX:XX (08:81:f4:XX:XX:XX) Internet Protocol Version 4, Src: 192.168.89.18, Dst: 8.8.8.8 Transmission Control Protocol, Src Port: 1156, Dst Port: 443, Seq: 1, Ack: 1, Len: 517 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 508 Version: TLS 1.2 (0x0303) Random Session ID Length: 0 Cipher Suites Length: 148 Cipher Suites (74 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 319 Extension: server_name Type: server_name (0x0000) Length: 12 Server Name Indication extension Server Name list length: 10 Server Name Type: host_name (0) Server Name length: 7 Server Name: 8.8.8.8 Extension: ec_point_formats Extension: elliptic_curves Extension: SessionTicket TLS Extension: signature_algorithms Extension: Heartbeat Extension: Padding

What Broke

Clients experience SSL handshake failures when connecting to servers using IP addresses.

Why It Broke

The SSL client hello incorrectly includes an IP address in the server_name extension, violating the SNI specification

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25

When NOT to use: This fix should not be used if the server requires SNI for IP addresses.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/1350

First fixed release: 1.25

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be used if the server requires SNI for IP addresses.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
1.25 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1224. Not affiliated with the library maintainers. Verify before production use.