The Fix
pip install urllib3==1.26.7
Based on closed urllib3/urllib3 issue #2240 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -5,7 +5,7 @@
from binascii import unhexlify
from hashlib import md5, sha1, sha256
-from typing import TYPE_CHECKING, Dict, Optional, Tuple, Union, cast, overload
+from typing import TYPE_CHECKING, Dict, Mapping, Optional, Tuple, Union, cast, overload
repro.py
[derekh@u07 urllib3]$ python
Python 3.6.8 (default, Aug 24 2020, 17:57:11)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>> import platform
>> import urllib3
>>
>> print("OS", platform.platform())
OS Linux-4.18.0-240.22.1.el8_3.x86_64-x86_64-with-centos-8.3.2011
>> print("Python", platform.python_version())
Python 3.6.8
>> print("urllib3", urllib3.__version__)
urllib3 1.24.2
Also reproduced on the master branch
>> print("urllib3", urllib3.__version__)
urllib3 2.0.0.dev0
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.26.7\nWhen NOT to use: This fix is not applicable if the proxy does not support IPv6 or if the certificate is invalid.\n\n
Why This Fix Works in Production
- Trigger: Verifying a https certificate by the subjectAltName->"IP Address" fails when the accessing a server by IPv6 address through a Proxy
- Mechanism: The host IP used for certificate verification is wrapped in square brackets when accessed via a proxy
- Why the fix works: Strip square brackets from host IP to ensure proper certificate verification for IPv6 addresses accessed via a proxy. (first fixed release: 1.26.7).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Shows up under Python 3.6.8 in real deployments (not just unit tests).
- The host IP used for certificate verification is wrapped in square brackets when accessed via a proxy
- Production symptom (often without a traceback): Verifying a https certificate by the subjectAltName->"IP Address" fails when the accessing a server by IPv6 address through a Proxy
Proof / Evidence
- GitHub issue: #2240
- Fix PR: https://github.com/urllib3/urllib3/pull/2241
- First fixed release: 1.26.7
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.61
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“### Subject Verifying a https certificate by the subjectAltName->"IP Address" fails when the accessing a server by IPv6 address through a Proxy in the case where a proxy is used the Host IP used for comparison is wrapped in square brackets”
Failure Signature (Search String)
- Verifying a https certificate by the subjectAltName->"IP Address" fails when the accessing a server by IPv6 address through a Proxy
- Accessing the same URL via a proxy doesn't
Copy-friendly signature
signature.txt
Failure Signature
-----------------
Verifying a https certificate by the subjectAltName->"IP Address" fails when the accessing a server by IPv6 address through a Proxy
Accessing the same URL via a proxy doesn't
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
Verifying a https certificate by the subjectAltName->"IP Address" fails when the accessing a server by IPv6 address through a Proxy
Accessing the same URL via a proxy doesn't
Minimal Reproduction
repro.py
[derekh@u07 urllib3]$ python
Python 3.6.8 (default, Aug 24 2020, 17:57:11)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>> import platform
>> import urllib3
>>
>> print("OS", platform.platform())
OS Linux-4.18.0-240.22.1.el8_3.x86_64-x86_64-with-centos-8.3.2011
>> print("Python", platform.python_version())
Python 3.6.8
>> print("urllib3", urllib3.__version__)
urllib3 1.24.2
Also reproduced on the master branch
>> print("urllib3", urllib3.__version__)
urllib3 2.0.0.dev0
Environment
- Python: 3.6.8
- urllib3: 1.24.2
What Broke
Certificate verification fails, leading to connection errors when accessing IPv6 addresses through a proxy.
Why It Broke
The host IP used for certificate verification is wrapped in square brackets when accessed via a proxy
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.26.7
When NOT to use: This fix is not applicable if the proxy does not support IPv6 or if the certificate is invalid.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/2241
First fixed release: 1.26.7
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix is not applicable if the proxy does not support IPv6 or if the certificate is invalid.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.26.7 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.