Jump to solution
Details

urllib3 pyopenssl.py should explictly bubble up errno from OpenSSL.SSL.SysCallError (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.26.3
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.75
#2117 ai tls Idempotency Violation Updated: 2026-02-13
Issue #2117

The Fix

pip install urllib3==1.26.3

Based on closed urllib3/urllib3 issue #2117 · PR/commit linked

Open PR/Commit
@@ -279,7 +279,7 @@ def recv(self, *args, **kwargs): return b"" else: - raise SocketError(str(e)) + raise SocketError(e.args[0], str(e)) except OpenSSL.SSL.ZeroReturnError:
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.26.3\nWhen NOT to use: This fix should not be used if the application does not require errno information.\n\n

Why This Fix Works in Production

  • Trigger: pyopenssl.py should explictly bubble up errno from OpenSSL.SSL.SysCallError
  • Mechanism: Bubbles up the errno from OpenSSL.SSL.SysCallError to the SocketError exception.
  • Why the fix works: Bubbles up the errno from OpenSSL.SSL.SysCallError to the SocketError exception. (first fixed release: 1.26.3).

Why This Breaks in Prod

  • Surfaces as: pyopenssl.py should explictly bubble up errno from OpenSSL.SSL.SysCallError

Proof / Evidence

  • GitHub issue: #2117
  • Fix PR: https://github.com/urllib3/urllib3/pull/2118
  • First fixed release: 1.26.3
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.75

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“### Context Several spots in pyopenssl catch OpenSSL.SSL.SysCallError and then reraise the exception as SocketError (an alias for socket.error). Example code: https://github.com/urllib3/urllib3/blob/83652e0fe9113fbe35f7c34ee71c2f7ed268c5f9/”
Issue thread · issue description · source

Failure Signature (Search String)

  • pyopenssl.py should explictly bubble up errno from OpenSSL.SSL.SysCallError

Error Message

Stack trace
error.txt
Error Message ------------- pyopenssl.py should explictly bubble up errno from OpenSSL.SSL.SysCallError

What Broke

Applications using urllib3 may lose critical errno information during SSL errors.

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.26.3

When NOT to use: This fix should not be used if the application does not require errno information.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/2118

First fixed release: 1.26.3

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be used if the application does not require errno information.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
1.26.3 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:ssl-handshake urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Configuration error Data consistency Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #2117. Not affiliated with the library maintainers. Verify before production use.