Jump to solution
Verify

urllib3 keylog_filename triggering error when SSLKEYLOGFILE is not set (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.25.11
Python
3.8
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-09
Own content ratio
0.72
#2015 ai tls Updated: 2026-02-13
Exec PASS Issue #2015

The Fix

pip install urllib3==1.25.11

Based on closed urllib3/urllib3 issue #2015 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -314,9 +314,11 @@ def create_urllib3_context( # Enable logging of TLS session keys via defacto standard environment variable - # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). + # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). Skip empty values. if hasattr(context, "keylog_filename"):
repro.py
import platform import urllib3 print("OS", platform.platform()) print("Python", platform.python_version()) print("urllib3", urllib3.__version__)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25.11\nWhen NOT to use: Do not use this fix if the SSLKEYLOGFILE is required for logging TLS session keys.\n\n

Why This Fix Works in Production

  • Trigger: urllib3.exceptions.ProtocolError: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory'))
  • Mechanism: The keylog_filename was set to an empty value, causing a ProtocolError
  • Why the fix works: Addresses an issue where setting the keylog_filename for empty values caused a ProtocolError. (first fixed release: 1.25.11).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.8 in real deployments (not just unit tests).
  • The keylog_filename was set to an empty value, causing a ProtocolError
  • Surfaces as: urllib3.exceptions.ProtocolError: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory'))

Proof / Evidence

  • GitHub issue: #2015
  • Fix PR: https://github.com/urllib3/urllib3/pull/2016
  • First fixed release: 1.25.11
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.95
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.72

Verified Execution

We executed the runnable minimal repro in a temporary environment and captured exit codes + logs.

  • Status: PASS
  • Ran: 2026-02-11T16:52:29Z
  • Package: urllib3
  • Fixed: 1.25.11
  • Mode: fixed_only
  • Outcome: ok
Logs
affected (exit=None)
fixed (exit=0)
OS Linux-6.8.0-1045-gcp-x86_64-with-glibc2.35 Python 3.10.12 urllib3 1.25.11

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Awesome, thanks for the fast fix! This is much appreciated.”
@mattbasta · 2020-10-04 · source
“Thanks for opening this, this looks like a bug. We'll get a fix in and make a 1.25.11 release. Would you be willing to provide…”
@sethmlarson · 2020-10-04 · source
“@sethmlarson I'm happy to put up my little patch as a PR”
@mattbasta · 2020-10-04 · source

Failure Signature (Search String)

  • urllib3.exceptions.ProtocolError: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory'))

Error Message

Stack trace
error.txt
Error Message ------------- urllib3.exceptions.ProtocolError: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory'))

Minimal Reproduction

repro.py
import platform import urllib3 print("OS", platform.platform()) print("Python", platform.python_version()) print("urllib3", urllib3.__version__)

Environment

  • Python: 3.8
  • urllib3: 1.25.10

What Broke

Requests fail with a ProtocolError due to missing SSLKEYLOGFILE environment variable.

Why It Broke

The keylog_filename was set to an empty value, causing a ProtocolError

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25.11

When NOT to use: Do not use this fix if the SSLKEYLOGFILE is required for logging TLS session keys.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/2016

First fixed release: 1.25.11

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if the SSLKEYLOGFILE is required for logging TLS session keys.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
1.25.11 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #2015. Not affiliated with the library maintainers. Verify before production use.