The Fix
pip install urllib3==1.26.0
Based on closed urllib3/urllib3 issue #1976 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -13,6 +13,7 @@
import re
import ssl
+import struct
import tempfile
repro.py
import logging
import socket
import ssl
import threading
import trustme
import urllib3
from urllib3.contrib.securetransport import inject_into_urllib3, extract_from_urllib3
CERT_PATH = "/tmp/ca.pem"
SSL_CTX2 = ssl.SSLContext()
NUM_CONNECTIONS = 3
def server(s):
for i in range(NUM_CONNECTIONS):
c, _ = s.accept()
try:
logging.critical("Server iter")
c = SSL_CTX2.wrap_socket(c, server_side=True)
c.recv(1024)
c.sendall(b"HTTP/1.1 404 Not Found\r\nConnection: close\r\n\r\n")
c.close()
except Exception as e:
logging.critical("Server ex: %r" % (e,))
def connect_and_fail(port):
with urllib3.HTTPSConnectionPool("localhost", port, cert_reqs="REQUIRED", ca_certs=CERT_PATH) as p:
for i in range(NUM_CONNECTIONS):
logging.critical("Client iter")
try:
p.request("GET", "/", retries=False)
except urllib3.exceptions.SSLError as e:
logging.critical("Client ex: %r" % (e,))
def main():
logging.basicConfig(level=logging.INFO)
# client's chain - ca
ca = trustme.CA()
ca.cert_pem.write_to_path(CERT_PATH)
# server's chain - ca2
ca2 = trustme.CA()
server2_cert = ca2.issue_cert(u"localhost")
server2_cert.configure_cert(SSL_CTX2)
# start an SSL server with ca chain
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 0))
port = s.getsockname()[1]
s.listen(10)
th = threading.Thread(target=server, args=(s, ))
th.start()
# inject SecureTransport and try to connect with ca2 chain
inject_into_urllib3()
connect_and_fail(port)
extract_from_urllib3()
th.join()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.26.0\nWhen NOT to use: Do not use this fix if custom verification is not enabled.\n\n
Why This Fix Works in Production
- Trigger: SecureTransport does not close unverified connections correctly
- Mechanism: SecureTransport does not terminate the socket on SSL custom-verification failure, leading to socket leaks
- Why the fix works: Terminates the connection when custom verification fails in SecureTransport, addressing the issue of leaking sockets. (first fixed release: 1.26.0).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- SecureTransport does not terminate the socket on SSL custom-verification failure, leading to socket leaks
- Production symptom (often without a traceback): SecureTransport does not close unverified connections correctly
Proof / Evidence
- GitHub issue: #1976
- Fix PR: https://github.com/urllib3/urllib3/pull/1977
- First fixed release: 1.26.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.95
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.43
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“SecureTransport does not handle SSL custom-verification failure correctly. Instead of sending an alert and terminating the socket, the client socket leaks thus hanging the server socket. #### Expected behavior When custom-verification is en”
Failure Signature (Search String)
- SecureTransport does not close unverified connections correctly
- SecureTransport does not handle SSL custom-verification failure correctly. Instead of sending an alert and terminating the socket, the client socket leaks thus hanging the server
Copy-friendly signature
signature.txt
Failure Signature
-----------------
SecureTransport does not close unverified connections correctly
SecureTransport does not handle SSL custom-verification failure correctly. Instead of sending an alert and terminating the socket, the client socket leaks thus hanging the server socket.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
SecureTransport does not close unverified connections correctly
SecureTransport does not handle SSL custom-verification failure correctly. Instead of sending an alert and terminating the socket, the client socket leaks thus hanging the server socket.
Minimal Reproduction
repro.py
import logging
import socket
import ssl
import threading
import trustme
import urllib3
from urllib3.contrib.securetransport import inject_into_urllib3, extract_from_urllib3
CERT_PATH = "/tmp/ca.pem"
SSL_CTX2 = ssl.SSLContext()
NUM_CONNECTIONS = 3
def server(s):
for i in range(NUM_CONNECTIONS):
c, _ = s.accept()
try:
logging.critical("Server iter")
c = SSL_CTX2.wrap_socket(c, server_side=True)
c.recv(1024)
c.sendall(b"HTTP/1.1 404 Not Found\r\nConnection: close\r\n\r\n")
c.close()
except Exception as e:
logging.critical("Server ex: %r" % (e,))
def connect_and_fail(port):
with urllib3.HTTPSConnectionPool("localhost", port, cert_reqs="REQUIRED", ca_certs=CERT_PATH) as p:
for i in range(NUM_CONNECTIONS):
logging.critical("Client iter")
try:
p.request("GET", "/", retries=False)
except urllib3.exceptions.SSLError as e:
logging.critical("Client ex: %r" % (e,))
def main():
logging.basicConfig(level=logging.INFO)
# client's chain - ca
ca = trustme.CA()
ca.cert_pem.write_to_path(CERT_PATH)
# server's chain - ca2
ca2 = trustme.CA()
server2_cert = ca2.issue_cert(u"localhost")
server2_cert.configure_cert(SSL_CTX2)
# start an SSL server with ca chain
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 0))
port = s.getsockname()[1]
s.listen(10)
th = threading.Thread(target=server, args=(s, ))
th.start()
# inject SecureTransport and try to connect with ca2 chain
inject_into_urllib3()
connect_and_fail(port)
extract_from_urllib3()
th.join()
What Broke
The server socket hangs due to leaking client sockets after SSL verification failure.
Why It Broke
SecureTransport does not terminate the socket on SSL custom-verification failure, leading to socket leaks
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.26.0
When NOT to use: Do not use this fix if custom verification is not enabled.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/1977
First fixed release: 1.26.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if custom verification is not enabled.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.26.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.