The Fix
pip install urllib3==1.25.11
Based on closed urllib3/urllib3 issue #2101 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -64,6 +64,12 @@ def _const_compare_digest_backport(a, b):
+try: # OP_NO_TICKET was added in Python 3.6
+ from ssl import OP_NO_TICKET
+except ImportError:
repro.py
#!/usr/bin/env python3
import http.client
import requests
import ssl
from urllib3.poolmanager import PoolManager
http.client.HTTPConnection.debuglevel = 1
# Certain ciphers cause Google to return 403 Bad Authentication.
CIPHERS = ":".join(
[
"ECDHE+AESGCM",
"ECDHE+CHACHA20",
"DHE+AESGCM",
"DHE+CHACHA20",
"ECDH+AES",
"DH+AES",
"RSA+AESGCM",
"RSA+AES",
"!aNULL",
"!eNULL",
"!MD5",
"!DSS",
]
)
class SSLContext(ssl.SSLContext):
def set_alpn_protocols(self, protocols):
"""
ALPN headers cause Google to return 403 Bad Authentication.
"""
pass
class AuthHTTPAdapter(requests.adapters.HTTPAdapter):
def init_poolmanager(self, *args, **kwargs):
"""
Secure settings from ssl.create_default_context(), but without
ssl.OP_NO_TICKET which causes Google to return 403 Bad
Authentication.
"""
context = SSLContext()
context.set_ciphers(CIPHERS)
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_COMPRESSION
context.post_handshake_auth = True
context.verify_mode = ssl.CERT_REQUIRED
self.poolmanager = PoolManager(*args, ssl_context=context, **kwargs)
AUTH_URL = "https://android.clients.google.com/auth"
data = {
"Email": "",
"EncryptedPasswd": "",
"add_account": 1,
}
session = requests.session()
session.mount(AUTH_URL, AuthHTTPAdapter())
token = session.post(AUTH_URL, data)
print(token)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25.11\nWhen NOT to use: This fix should not be applied if session ticket support is required.\n\n
Why This Fix Works in Production
- Trigger: POST method fails with urllib>=1.26.0 for https://android.clients.google.com/auth
- Mechanism: Disables the use of session tickets on TLSv1.2 by default, addressing issues with authentication failures in urllib3>=1.26.0.
- Why the fix works: Disables the use of session tickets on TLSv1.2 by default, addressing issues with authentication failures in urllib3>=1.26.0. (first fixed release: 1.25.11).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Production symptom (often without a traceback): POST method fails with urllib>=1.26.0 for https://android.clients.google.com/auth
Proof / Evidence
- GitHub issue: #2101
- Fix PR: https://github.com/urllib3/urllib3/pull/1970
- First fixed release: 1.25.11
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.75
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.39
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“@pquentin I took a moment and ran the repro”
“I agree @finkandreas - I don't think there's a good way to "fix" this in urllib3.”
“@crwilcox I have adapted your example so it also works with urllib3-1.26.3 for me now:”
“@lucasknopp this is not the place to ask that question. We're not Node developers and we're not going to research this for you”
Failure Signature (Search String)
- POST method fails with urllib>=1.26.0 for https://android.clients.google.com/auth
Copy-friendly signature
signature.txt
Failure Signature
-----------------
POST method fails with urllib>=1.26.0 for https://android.clients.google.com/auth
python -m venv venv_broken
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
POST method fails with urllib>=1.26.0 for https://android.clients.google.com/auth
python -m venv venv_broken
Minimal Reproduction
repro.py
#!/usr/bin/env python3
import http.client
import requests
import ssl
from urllib3.poolmanager import PoolManager
http.client.HTTPConnection.debuglevel = 1
# Certain ciphers cause Google to return 403 Bad Authentication.
CIPHERS = ":".join(
[
"ECDHE+AESGCM",
"ECDHE+CHACHA20",
"DHE+AESGCM",
"DHE+CHACHA20",
"ECDH+AES",
"DH+AES",
"RSA+AESGCM",
"RSA+AES",
"!aNULL",
"!eNULL",
"!MD5",
"!DSS",
]
)
class SSLContext(ssl.SSLContext):
def set_alpn_protocols(self, protocols):
"""
ALPN headers cause Google to return 403 Bad Authentication.
"""
pass
class AuthHTTPAdapter(requests.adapters.HTTPAdapter):
def init_poolmanager(self, *args, **kwargs):
"""
Secure settings from ssl.create_default_context(), but without
ssl.OP_NO_TICKET which causes Google to return 403 Bad
Authentication.
"""
context = SSLContext()
context.set_ciphers(CIPHERS)
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_COMPRESSION
context.post_handshake_auth = True
context.verify_mode = ssl.CERT_REQUIRED
self.poolmanager = PoolManager(*args, ssl_context=context, **kwargs)
AUTH_URL = "https://android.clients.google.com/auth"
data = {
"Email": "",
"EncryptedPasswd": "",
"add_account": 1,
}
session = requests.session()
session.mount(AUTH_URL, AuthHTTPAdapter())
token = session.post(AUTH_URL, data)
print(token)
Environment
- urllib3: 1.26
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.25.11
When NOT to use: This fix should not be applied if session ticket support is required.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/1970
First fixed release: 1.25.11
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be applied if session ticket support is required.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.25.11 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.