Jump to solution
Verify

urllib3 Unnecessary SNI warning with SecureTransport (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.25.11
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-09
Own content ratio
0.49
#1902 ai corruption tls Updated: 2026-02-13
Issue #1902

The Fix

pip install urllib3==1.25.11

Based on closed urllib3/urllib3 issue #1902 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -375,14 +375,13 @@ def ssl_wrap_socket( # If we detect server_hostname is an IP address then the SNI # extension should not be used according to RFC3546 Section 3.1 - # We shouldn't warn the user if SNI isn't available but we would - # not be using SNI anyways due to IP address for server_hostname. - if (
repro.py
import socket import ssl import threading # comment these 2 lines from urllib3.contrib import securetransport securetransport.inject_into_urllib3() from urllib3 import util import trustme ca = trustme.CA() cert = ca.issue_cert(u"localhost") ca.cert_pem.write_to_path("/tmp/ca.pem") cert.private_key_pem.write_to_path("/tmp/cert.key") cert.cert_chain_pems[0].write_to_path("/tmp/cert.pem") server_up = threading.Event() c = socket.socket() l = socket.socket() def client(): c.connect(('127.0.0.1', l.getsockname()[1])) ssl_sock = util.ssl_wrap_socket(c, ca_certs="/tmp/ca.pem") ssl_sock.close() def server(): l.bind(('127.0.0.1', 0)) l.listen(1) server_up.set() s = l.accept()[0] ssl_sock = ssl.wrap_socket(s, server_side=True, certfile="/tmp/cert.pem", keyfile="/tmp/cert.key") ssl_sock.close() client_thread = threading.Thread(target=client) server_thread = threading.Thread(target=server) server_thread.start() assert server_up.wait(5) client_thread.start() server_thread.join() client_thread.join()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25.11\nWhen NOT to use: This fix should not be applied if SNI warnings are required for other backends.\n\n

Why This Fix Works in Production

  • Trigger: ssl_sock = util.ssl_wrap_socket(c, ca_certs="/tmp/ca.pem")
  • Mechanism: The SecureTransport backend incorrectly issues an SNI warning when server_hostname is None
  • Why the fix works: Fixes an unnecessary SNI warning that was issued when using the SecureTransport backend without a server_hostname. (first fixed release: 1.25.11).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • The SecureTransport backend incorrectly issues an SNI warning when server_hostname is None
  • Production symptom (often without a traceback): ssl_sock = util.ssl_wrap_socket(c, ca_certs="/tmp/ca.pem")

Proof / Evidence

  • GitHub issue: #1902
  • Fix PR: https://github.com/urllib3/urllib3/pull/1903
  • First fixed release: 1.25.11
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.95
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.49

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“SNI is always enabled with the SecureTransport backend. If a platform lacks SNI support and otherwise SNI would have been used (a valid is given) - we issue an SNI warning. With the SecureTransport backend, if one wraps a socket with no , a”
Issue thread · issue description · source

Failure Signature (Search String)

  • ssl_sock = util.ssl_wrap_socket(c, ca_certs="/tmp/ca.pem")
  • ssl_sock.close()
Copy-friendly signature
signature.txt
Failure Signature ----------------- ssl_sock = util.ssl_wrap_socket(c, ca_certs="/tmp/ca.pem") ssl_sock.close()

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- ssl_sock = util.ssl_wrap_socket(c, ca_certs="/tmp/ca.pem") ssl_sock.close()

Minimal Reproduction

repro.py
import socket import ssl import threading # comment these 2 lines from urllib3.contrib import securetransport securetransport.inject_into_urllib3() from urllib3 import util import trustme ca = trustme.CA() cert = ca.issue_cert(u"localhost") ca.cert_pem.write_to_path("/tmp/ca.pem") cert.private_key_pem.write_to_path("/tmp/cert.key") cert.cert_chain_pems[0].write_to_path("/tmp/cert.pem") server_up = threading.Event() c = socket.socket() l = socket.socket() def client(): c.connect(('127.0.0.1', l.getsockname()[1])) ssl_sock = util.ssl_wrap_socket(c, ca_certs="/tmp/ca.pem") ssl_sock.close() def server(): l.bind(('127.0.0.1', 0)) l.listen(1) server_up.set() s = l.accept()[0] ssl_sock = ssl.wrap_socket(s, server_side=True, certfile="/tmp/cert.pem", keyfile="/tmp/cert.key") ssl_sock.close() client_thread = threading.Thread(target=client) server_thread = threading.Thread(target=server) server_thread.start() assert server_up.wait(5) client_thread.start() server_thread.join() client_thread.join()

What Broke

Unnecessary SNI warnings clutter logs, causing confusion during SSL connections.

Why It Broke

The SecureTransport backend incorrectly issues an SNI warning when server_hostname is None

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25.11

When NOT to use: This fix should not be applied if SNI warnings are required for other backends.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/1903

First fixed release: 1.25.11

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be applied if SNI warnings are required for other backends.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
1.25.11 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1902. Not affiliated with the library maintainers. Verify before production use.