Jump to solution
Details

urllib3 urllib3 does not allow to use HTTPS proxy (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.25.11
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.74
#1662 ai tls Idempotency Violation Updated: 2026-02-13
Issue #1662

The Fix

pip install urllib3==1.25.11

Based on closed urllib3/urllib3 issue #1662 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Open PR/Commit
@@ -9,6 +9,7 @@ from .packages.six.moves.http_client import HTTPConnection as _HTTPConnection from .packages.six.moves.http_client import HTTPException # noqa: F401 +from .util.proxy import create_proxy_ssl_context try: # Compiled with SSL?
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25.11\nWhen NOT to use: This fix should not be used if the proxy does not support forwarding for HTTPS.\n\n

Why This Fix Works in Production

  • Trigger: urllib3 does not allow to use HTTPS proxy
  • Mechanism: urllib3 attempts to create an HTTPS tunnel using CONNECT method, which is unsupported by the proxy
  • Why the fix works: Integrates TLS-in-TLS support into urllib3, allowing it to use HTTPS proxies with HTTPS destinations. (first fixed release: 1.25.11).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • urllib3 attempts to create an HTTPS tunnel using CONNECT method, which is unsupported by the proxy
  • Production symptom (often without a traceback): urllib3 does not allow to use HTTPS proxy

Proof / Evidence

  • GitHub issue: #1662
  • Fix PR: https://github.com/urllib3/urllib3/pull/1923
  • First fixed release: 1.25.11
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.74

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Ah your proxy is doing forwarding not tunneling. I'm not sure about whether we support proxies that do forwarding and the reasons. Might require some…”
@sethmlarson · 2019-08-11 · source
“The standard way to connect to an HTTPS URL over an HTTP proxy is via CONNECT. Do you know why your proxy isn't following this…”
@sethmlarson · 2019-08-11 · source
“I did not say that I connect to HTTPS :) I try to connect through HTTPS proxy”
@SeyfSV · 2019-08-11 · source

Failure Signature (Search String)

  • urllib3 does not allow to use HTTPS proxy
  • When I try to use HTTPS proxy, than urllib3 tries to create HTTPS tunnel by calling CONNECT. But my HTTPS proxy does not support it and resets connection after receiving it.
Copy-friendly signature
signature.txt
Failure Signature ----------------- urllib3 does not allow to use HTTPS proxy When I try to use HTTPS proxy, than urllib3 tries to create HTTPS tunnel by calling CONNECT. But my HTTPS proxy does not support it and resets connection after receiving it.

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- urllib3 does not allow to use HTTPS proxy When I try to use HTTPS proxy, than urllib3 tries to create HTTPS tunnel by calling CONNECT. But my HTTPS proxy does not support it and resets connection after receiving it.

What Broke

Users experience connection resets when using unsupported HTTPS proxies.

Why It Broke

urllib3 attempts to create an HTTPS tunnel using CONNECT method, which is unsupported by the proxy

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25.11

When NOT to use: This fix should not be used if the proxy does not support forwarding for HTTPS.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/1923

First fixed release: 1.25.11

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be used if the proxy does not support forwarding for HTTPS.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
1.25.11 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1662. Not affiliated with the library maintainers. Verify before production use.