The Fix
pip install urllib3==1.26.9
Based on closed urllib3/urllib3 issue #2190 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -26,8 +26,8 @@
from .util.ssl_ import _TYPE_PEER_CERT_RET_DICT
+ from .util.ssltransport import SSLTransport
-from .util.proxy import create_proxy_ssl_context
Option A — Upgrade to fixed release\npip install urllib3==1.26.9\nWhen NOT to use: This fix should not be used if the application relies on common name verification.\n\n
Why This Fix Works in Production
- Trigger: We have a problem though: in v2 we dropped support for common name, and that fix does not remove support for common name, especially given we can't use
- Mechanism: The proxy TLS flow did not match the destination TLS flow due to dropped support for common name
- Why the fix works: Changes the proxy TLS flow to match the destination TLS flow, addressing issue #2190. (first fixed release: 1.26.9).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The proxy TLS flow did not match the destination TLS flow due to dropped support for common name
- Production symptom (often without a traceback): We have a problem though: in v2 we dropped support for common name, and that fix does not remove support for common name, especially given we can't use `hostname_checks_common_name`.
Proof / Evidence
- GitHub issue: #2190
- Fix PR: https://github.com/urllib3/urllib3/pull/2529
- First fixed release: 1.26.9
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.71
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Figuring what to do is 90% of the work for me, I didn't take time to sit down and focus on this yet”
“(To be clear, I'm not suggesting your approach is wrong! I don't want to discourage you from implementing it, but I can't confirm or deny…”
“Other PRs we may need to forward-port: - https://github.com/urllib3/urllib3/pull/2407 - https://github.com/urllib3/urllib3/pull/2419”
“@pquentin / @sethmlarson Can you guide me on the functionality here? I'll try to implement this and to write tests”
Failure Signature (Search String)
- We have a problem though: in v2 we dropped support for common name, and that fix does not remove support for common name, especially given we can't use
- That means we'll have to call `match_hostname` manually in the proxy case too and add a test. Labelling "Breaking Change" to make sure we don't release v2 without that.
Copy-friendly signature
Failure Signature
-----------------
We have a problem though: in v2 we dropped support for common name, and that fix does not remove support for common name, especially given we can't use `hostname_checks_common_name`.
That means we'll have to call `match_hostname` manually in the proxy case too and add a test. Labelling "Breaking Change" to make sure we don't release v2 without that.
Error Message
Signature-only (no traceback captured)
Error Message
-------------
We have a problem though: in v2 we dropped support for common name, and that fix does not remove support for common name, especially given we can't use `hostname_checks_common_name`.
That means we'll have to call `match_hostname` manually in the proxy case too and add a test. Labelling "Breaking Change" to make sure we don't release v2 without that.
Environment
- urllib3: 2
What Broke
TLS connections through proxies failed to verify hostnames, leading to potential security vulnerabilities.
Why It Broke
The proxy TLS flow did not match the destination TLS flow due to dropped support for common name
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.26.9
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/2529
First fixed release: 1.26.9
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if the application relies on common name verification.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.26.9 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.