urllib3 [1.26] ssl_match_hostname is not fully covered (Fix)

The Fix

pip install urllib3==1.26.8

Based on closed urllib3/urllib3 issue #2472 · PR/commit linked

Open PR/Commit

@@ -75,7 +75,6 @@
         "urllib3",
         "urllib3.packages",
-        "urllib3.packages.ssl_match_hostname",
         "urllib3.packages.backports",
         "urllib3.contrib",

fix.md

Option A — Upgrade to fixed release\npip install urllib3==1.26.8\nWhen NOT to use: Do not apply this fix if you require compatibility with Python versions below 3.5.\n\n

Why This Fix Works in Production

Trigger: [1.26] ssl_match_hostname is not fully covered
Mechanism: [1.26] Vendor ssl.match_hostname to avoid Python 3.10 deprecation warning.
Why the fix works: [1.26] Vendor ssl.match_hostname to avoid Python 3.10 deprecation warning. (first fixed release: 1.26.8).

Production impact:

If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).

Why This Breaks in Prod

Production symptom (often without a traceback): [1.26] ssl_match_hostname is not fully covered

Proof / Evidence

GitHub issue: #2472
Fix PR: https://github.com/urllib3/urllib3/pull/2448
First fixed release: 1.26.8
Reproduced locally: No (not executed)
Last verified: 2026-02-09
Confidence: 0.85
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.72

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“@pquentin @SethMichaelLarson as we 1.26 is fully covered now, I think we can close this issue.”

@hramezani · 2022-02-07 · source

Failure Signature (Search String)

[1.26] ssl_match_hostname is not fully covered
https://app.codecov.io/gh/urllib3/urllib3/blob/bb3c2942702b84a9a86057044e61d7b885028471/src/urllib3/util/ssl_match_hostname.py

Copy-friendly signature

signature.txt

Failure Signature
-----------------
[1.26] ssl_match_hostname is not fully covered
https://app.codecov.io/gh/urllib3/urllib3/blob/bb3c2942702b84a9a86057044e61d7b885028471/src/urllib3/util/ssl_match_hostname.py

Error Message

Signature-only (no traceback captured)

error.txt

Error Message
-------------
[1.26] ssl_match_hostname is not fully covered
https://app.codecov.io/gh/urllib3/urllib3/blob/bb3c2942702b84a9a86057044e61d7b885028471/src/urllib3/util/ssl_match_hostname.py

What Broke

Incomplete test coverage may lead to undetected bugs in production.

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.26.8

When NOT to use: Do not apply this fix if you require compatibility with Python versions below 3.5.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/2448

First fixed release: 1.26.8

Last verified: 2026-02-09. Validate in your environment.

When NOT to Use This Fix

Do not apply this fix if you require compatibility with Python versions below 3.5.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

Version	Status
1.26.8	Fixed

Related Issues

No related fixes found.

Cluster: urllib3:data-consistency urllib3 hub urllib3 best practices All hubs All clusters

Related clusters: Configuration error SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.