Jump to solution
Details

urllib3 Shouldn't urllib3 verify SSL/TLS certificates by default ? (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.25
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-09
Own content ratio
0.75
#1454 ai auth tls webhooks Breaking Api Change Updated: 2026-02-13
Issue #1454

The Fix

pip install urllib3==1.25

Based on closed urllib3/urllib3 issue #1454 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Open PR/Commit
@@ -16,6 +16,8 @@ dev (master) given and no password was given. Instead an ``SSLError`` is raised. (Pull #1489) +* Require and validate certificates by default when using HTTPS (Pull #1507) + * ... [Short description of non-trivial change.] (Issue #)
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: This fix should not be applied if backward compatibility with existing code is a priority.\n\n

Why This Fix Works in Production

  • Trigger: Shouldn't urllib3 verify SSL/TLS certificates by default ?
  • Mechanism: The default behavior of urllib3 did not require SSL/TLS certificate validation for HTTPS requests
  • Why the fix works: Changes the default behavior of urllib3 to require and validate SSL/TLS certificates for HTTPS requests. (first fixed release: 1.25).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • The default behavior of urllib3 did not require SSL/TLS certificate validation for HTTPS requests
  • Production symptom (often without a traceback): Shouldn't urllib3 verify SSL/TLS certificates by default ?

Proof / Evidence

  • GitHub issue: #1454
  • Fix PR: https://github.com/urllib3/urllib3/pull/1507
  • First fixed release: 1.25
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.95
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.75

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“I'd say this is probably ready to go then :)”
@sethmlarson · 2018-10-16 · source
“I think if we were to "do-it-all-over" we'd have TLS verification on by default but to preserve backwards compatibility we'll probably keep the current behavior…”
@sethmlarson · 2018-10-16 · source
“For the records, see https://github.com/SeleniumHQ/selenium/issues/6534 for a case where switching from httplib to urllib3 accidentally disabled certificate validation ( the change introducing the issue https://github.com/SeleniumHQ/selenium/commit/8d98f3223c3”
@jerome-nexedi · 2018-10-16 · source
“I would personally be totally okay with us changing this behavior in a minor release (Python did it in a patch release, hilariously). I would…”
@theacodes · 2018-10-16 · source

Failure Signature (Search String)

  • Shouldn't urllib3 verify SSL/TLS certificates by default ?
  • ... urllib3 brings many critical features that are missing from the Python standard libraries:
Copy-friendly signature
signature.txt
Failure Signature ----------------- Shouldn't urllib3 verify SSL/TLS certificates by default ? ... urllib3 brings many critical features that are missing from the Python standard libraries:

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Shouldn't urllib3 verify SSL/TLS certificates by default ? ... urllib3 brings many critical features that are missing from the Python standard libraries:

What Broke

Users migrating from urllib2 or httplib may experience disabled certificate validation, leading to security vulnerabilities.

Why It Broke

The default behavior of urllib3 did not require SSL/TLS certificate validation for HTTPS requests

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25

When NOT to use: This fix should not be applied if backward compatibility with existing code is a priority.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/1507

First fixed release: 1.25

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be applied if backward compatibility with existing code is a priority.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
1.25 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1454. Not affiliated with the library maintainers. Verify before production use.