The Fix
pip install urllib3==1.26.12
Based on closed urllib3/urllib3 issue #2409 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -0,0 +1 @@
@@ -0,0 +1 @@
+Added ``proxy_assert_hostname`` and ``proxy_assert_fingerprint`` kwargs to ``ProxyManager``.
diff --git a/dummyserver/certs/README.rst b/dummyserver/certs/README.rst
index 7c712b6e15..3ee127a02b 100644
Option A — Upgrade to fixed release\npip install urllib3==1.26.12\nWhen NOT to use: Do not use if proxy verification is not required for your application.\n\n
Why This Fix Works in Production
- Trigger: Add support for assert_proxy_cert_fingerprint and assert_proxy_hostname
- Mechanism: Added parameters for proxy certificate verification in ProxyManager
- Why the fix works: Added support for assert_proxy_cert_fingerprint and assert_proxy_hostname in ProxyManager. (first fixed release: 1.26.12).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Added parameters for proxy certificate verification in ProxyManager
- Production symptom (often without a traceback): Add support for assert_proxy_cert_fingerprint and assert_proxy_hostname
Proof / Evidence
- GitHub issue: #2409
- Fix PR: https://github.com/urllib3/urllib3/pull/2702
- First fixed release: 1.26.12
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.75
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“The parameters would go on ProxyManager.__init__ and get put into the ProxyConfig object with other proxy HTTPS config parameters”
“@jalopezsilva thanks, and potentially. I believe you are saying that it is the proxy connection itself that we are testing because the destination is handled…”
“> @jalopezsilva thanks, and potentially”
“@jalopezsilva I think this is now complete / ready for review!”
Failure Signature (Search String)
- Add support for assert_proxy_cert_fingerprint and assert_proxy_hostname
- * [x] Add new parameter ``assert_proxy_cert_fingerprint``
Copy-friendly signature
Failure Signature
-----------------
Add support for assert_proxy_cert_fingerprint and assert_proxy_hostname
* [x] Add new parameter ``assert_proxy_cert_fingerprint``
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Add support for assert_proxy_cert_fingerprint and assert_proxy_hostname
* [x] Add new parameter ``assert_proxy_cert_fingerprint``
What Broke
Lack of proxy certificate verification could lead to security vulnerabilities.
Why It Broke
Added parameters for proxy certificate verification in ProxyManager
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.26.12
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/2702
First fixed release: 1.26.12
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use if proxy verification is not required for your application.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.26.12 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.