urllib3 TestSNI:test_hostname_in_first_request

The Fix

pip install urllib3==1.25.9

Based on closed urllib3/urllib3 issue #1818 · PR/commit linked

Production note: This tends to surface only under concurrency. Reproduce with load tests and watch for lock contention/cancellation paths.

Jump to Verify Open PR/Commit

@@ -284,7 +284,7 @@ In chronological order:
 * Jorge Lopez Silva <https://github.com/jalopezsilva>
   * Added support for forwarding requests through HTTPS proxies.
-  
+
 * Benno Rice <[email protected]>

repro.py

$ cat noxfile-single.patch
30a31,32
        "-o", "log_cli=true",
        "-k", "test_hostname_in_first_request_packet",
$ patch noxfile.py noxfile-single.patch
patching file noxfile.py
$ nox --sessions test-2.7
nox > Running session test-2.7
nox > Creating virtual environment (virtualenv) using python2.7 in .nox/test-2-7
nox > pip install -r dev-requirements.txt
nox > pip install .[socks,secure,brotli]
nox > pip --version
pip 20.0.2 from /home/user/dev/urllib3/.nox/test-2-7/lib/python2.7/site-packages/pip (python 2.7)
nox > python --version
Python 2.7.17
nox > python -c import struct; print(struct.calcsize('P') * 8)
64
nox > python -m OpenSSL.debug
pyOpenSSL: 19.1.0
cryptography: 2.8
cffi: 1.14.0
cryptography's compiled against OpenSSL: OpenSSL 1.1.1d  10 Sep 2019
cryptography's linked OpenSSL: OpenSSL 1.1.1d  10 Sep 2019
Pythons's OpenSSL: OpenSSL 1.1.1  11 Sep 2018
Python executable: /home/user/dev/urllib3/.nox/test-2-7/bin/python
Python version: 2.7.17 (default, Nov  7 2019, 10:07:09)
[GCC 7.4.0]
Platform: linux2
sys.path: ['', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/home/user/dev/urllib3/.nox/test-2-7/lib/python2.7/site-packages']
nox > coverage run --parallel-mode -m pytest -o log_cli=true -k test_hostname_in_first_request_packet -r a --tb=native --no-success-flaky-report test/
==================================== test session starts ====================================
platform linux2 -- Python 2.7.17, pytest-4.6.6, py-1.8.1, pluggy-0.13.1
rootdir: /home/user/dev/urllib3, inifile: setup.cfg
plugins: flaky-3.6.1, timeout-1.3.3
collected 1342 items / 1339 deselected / 3 selected

test/contrib/test_pyopenssl.py::TestSNI::test_hostname_in_first_request_packet
[hangs]

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

fix.md

Option A — Upgrade to fixed release\npip install urllib3==1.25.9\nWhen NOT to use: Do not use this fix if the server must support both IPv4 and IPv6 simultaneously.\n\n

Why This Fix Works in Production

Trigger: TestSNI:test_hostname_in_first_request_packet hangs
Mechanism: The test hangs because the server socket never gets accepted due to mismatched address families
Why the fix works: Ensures that the test host resolves to IPv6 in tests, fixing the hang in TestSNI when the client never connects. (first fixed release: 1.25.9).

Production impact:

If left unfixed, failures can be intermittent under concurrency (hard to reproduce; shows up as sporadic 5xx/timeouts).

Why This Breaks in Prod

Shows up under Python 2.7 in real deployments (not just unit tests).
The test hangs because the server socket never gets accepted due to mismatched address families
Production symptom (often without a traceback): TestSNI:test_hostname_in_first_request_packet hangs

Proof / Evidence

GitHub issue: #1818
Fix PR: https://github.com/urllib3/urllib3/pull/1819
First fixed release: 1.25.9
Reproduced locally: No (not executed)
Last verified: 2026-02-09
Confidence: 0.95
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.46

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“My system supports IPv6 and resolves localhost to 127.0.0.1. When I run the test suite on my system, TestSNI:test_hostname_in_first_request_packet hangs. This also fail about 80 more tests with MaxRetryError. ### Expected Result 1. The test”

Issue thread · issue description · source

Failure Signature (Search String)

TestSNI:test_hostname_in_first_request_packet hangs
When I run the test suite on my system, `TestSNI:test_hostname_in_first_request_packet` hangs.

Copy-friendly signature

signature.txt

Failure Signature
-----------------
TestSNI:test_hostname_in_first_request_packet hangs
When I run the test suite on my system, `TestSNI:test_hostname_in_first_request_packet` hangs.

Error Message

Signature-only (no traceback captured)

error.txt

Error Message
-------------
TestSNI:test_hostname_in_first_request_packet hangs
When I run the test suite on my system, `TestSNI:test_hostname_in_first_request_packet` hangs.

Minimal Reproduction

repro.py

$ cat noxfile-single.patch
30a31,32
        "-o", "log_cli=true",
        "-k", "test_hostname_in_first_request_packet",
$ patch noxfile.py noxfile-single.patch
patching file noxfile.py
$ nox --sessions test-2.7
nox > Running session test-2.7
nox > Creating virtual environment (virtualenv) using python2.7 in .nox/test-2-7
nox > pip install -r dev-requirements.txt
nox > pip install .[socks,secure,brotli]
nox > pip --version
pip 20.0.2 from /home/user/dev/urllib3/.nox/test-2-7/lib/python2.7/site-packages/pip (python 2.7)
nox > python --version
Python 2.7.17
nox > python -c import struct; print(struct.calcsize('P') * 8)
64
nox > python -m OpenSSL.debug
pyOpenSSL: 19.1.0
cryptography: 2.8
cffi: 1.14.0
cryptography's compiled against OpenSSL: OpenSSL 1.1.1d  10 Sep 2019
cryptography's linked OpenSSL: OpenSSL 1.1.1d  10 Sep 2019
Pythons's OpenSSL: OpenSSL 1.1.1  11 Sep 2018
Python executable: /home/user/dev/urllib3/.nox/test-2-7/bin/python
Python version: 2.7.17 (default, Nov  7 2019, 10:07:09)
[GCC 7.4.0]
Platform: linux2
sys.path: ['', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/home/user/dev/urllib3/.nox/test-2-7/lib/python2.7/site-packages']
nox > coverage run --parallel-mode -m pytest -o log_cli=true -k test_hostname_in_first_request_packet -r a --tb=native --no-success-flaky-report test/
==================================== test session starts ====================================
platform linux2 -- Python 2.7.17, pytest-4.6.6, py-1.8.1, pluggy-0.13.1
rootdir: /home/user/dev/urllib3, inifile: setup.cfg
plugins: flaky-3.6.1, timeout-1.3.3
collected 1342 items / 1339 deselected / 3 selected

test/contrib/test_pyopenssl.py::TestSNI::test_hostname_in_first_request_packet
[hangs]

Environment

Python: 2.7

What Broke

The test suite hangs and fails multiple tests with MaxRetryError.

Why It Broke

The test hangs because the server socket never gets accepted due to mismatched address families

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25.9

When NOT to use: Do not use this fix if the server must support both IPv4 and IPv6 simultaneously.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Option D — Guard side-effects with OnceOnly Guardrail for side-effects

Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.

Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.

Show example snippet (optional)

onceonly.py

from onceonly import OnceOnly
import os

once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)

# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..."  # replace
key = f"stripe:webhook:{event_id}"

res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
    return {"status": "already_processed"}

# Safe to execute the side-effect exactly once.
handle_event(event_id)

See OnceOnly SDK

When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Fix reference: https://github.com/urllib3/urllib3/pull/1819

First fixed release: 1.25.9

Last verified: 2026-02-09. Validate in your environment.

When NOT to Use This Fix

Do not use this fix if the server must support both IPv4 and IPv6 simultaneously.
Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Verify Fix

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

Version	Status
1.25.9	Fixed

Related Issues

No related fixes found.

Cluster: urllib3:race-condition urllib3 hub urllib3 best practices All hubs All clusters

Related clusters: Configuration error Data consistency SSL handshake

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

urllib3 TestSNI:test_hostname_in_first_request_packet hangs (Fix)