Jump to solution
Verify

urllib3 socket leaked when ssl_wrap_socket fails (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.26.9
Python
3.9.10
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.39
#2570 ai tls Updated: 2026-02-13
Issue #2570

The Fix

pip install urllib3==1.26.9

Based on closed urllib3/urllib3 issue #2570 · PR/commit linked

Jump to Verify Open PR/Commit
@@ -447,17 +447,16 @@ def connect(self) -> None: sock: Union[socket.socket, "ssl.SSLSocket"] - sock = self._new_conn() + self.sock = sock = self._new_conn() hostname: str = self.host
repro.py
import pytest import urllib3 def test_requests_leak(): with pytest.raises(Exception): with urllib3.PoolManager(ca_certs=__file__) as http: http.request("GET", "https://google.com")
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.26.9\nWhen NOT to use: Do not apply this fix if the socket management logic is altered elsewhere.\n\n

Why This Fix Works in Production

  • Mechanism: The socket was not properly managed when ssl_wrap_socket failed, leading to leaks
  • Why the fix works: Avoids a socket leak when the HTTPSConnection.connect method fails. (first fixed release: 1.26.9).

Why This Breaks in Prod

  • Shows up under Python 3.9.10 in real deployments (not just unit tests).
  • The socket was not properly managed when ssl_wrap_socket failed, leading to leaks
  • Surfaces as: :

Proof / Evidence

  • GitHub issue: #2570
  • Fix PR: https://github.com/urllib3/urllib3/pull/2571
  • First fixed release: 1.26.9
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.39

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“### Subject socket leaked when ssl_wrap_socket fails ### Environment ### Steps to Reproduce ### Expected Behavior no ResourceWarning ### Actual Behavior”
Issue thread · issue description · source

Error Message

Stack trace
error.txt
Error Message ------------- : def unraisable_exception_runtest_hook() -> Generator[None, None, None]: with catch_unraisable_exception() as cm: yield if cm.unraisable: if cm.unraisable.err_msg is not None: err_msg = cm.unraisable.err_msg else: err_msg = "Exception ignored in" msg = f"{err_msg}: {cm.unraisable.object!r}\n\n" msg += "".join( traceback.format_exception( cm.unraisable.exc_type, cm.unraisable.exc_value, cm.unraisable.exc_traceback, ) ) warnings.warn(pytest.PytestUnraisableExceptionWarning(msg)) E pytest.PytestUnraisableExceptionWarning: Exception ignored in: <socket.socket fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6> E E Traceback (most recent call last): E File "/home/graingert/projects/requests-leak/test_requests_leak.py", line 8, in test_requests_leak E http.request("GET", "https://google.com") E ResourceWarning: unclosed <socket.socket fd=14, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('192.168.99.58', 43618), raddr=('172.217.16.238', 443)>

Minimal Reproduction

repro.py
import pytest import urllib3 def test_requests_leak(): with pytest.raises(Exception): with urllib3.PoolManager(ca_certs=__file__) as http: http.request("GET", "https://google.com")

Environment

  • Python: 3.9.10
  • urllib3: 1.26.8

What Broke

ResourceWarnings were raised due to unclosed sockets, causing potential resource exhaustion.

Why It Broke

The socket was not properly managed when ssl_wrap_socket failed, leading to leaks

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.26.9

When NOT to use: Do not apply this fix if the socket management logic is altered elsewhere.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/2571

First fixed release: 1.26.9

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not apply this fix if the socket management logic is altered elsewhere.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
1.26.9 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:ssl-handshake urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Configuration error Data consistency Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #2570. Not affiliated with the library maintainers. Verify before production use.