The Fix
pip install urllib3==1.26.10
Based on closed urllib3/urllib3 issue #2628 · PR/commit linked
@@ -0,0 +1 @@
@@ -0,0 +1 @@
+Wrap OpenSSL.SSL.Error with ssl.SSLError in PyOpenSSLContext.load_cert_chain.
diff --git a/src/urllib3/contrib/pyopenssl.py b/src/urllib3/contrib/pyopenssl.py
index 848fa23592..79eb5052fc 100644
Option A — Upgrade to fixed release\npip install urllib3==1.26.10\nWhen NOT to use: This fix should not be applied if the error handling behavior is intentionally different.\n\n
Why This Fix Works in Production
- Trigger: PyOpenSSLContext.load_cert_chain raises OpenSSL.SSL.Error unwrapped
- Mechanism: Wraps OpenSSL.SSL.Error with ssl.SSLError in PyOpenSSLContext.load_cert_chain, ensuring consistent error handling.
- Why the fix works: Wraps OpenSSL.SSL.Error with ssl.SSLError in PyOpenSSLContext.load_cert_chain, ensuring consistent error handling. (first fixed release: 1.26.10).
- If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).
Why This Breaks in Prod
- Shows up under Python 3.9 in real deployments (not just unit tests).
- Production symptom (often without a traceback): PyOpenSSLContext.load_cert_chain raises OpenSSL.SSL.Error unwrapped
Proof / Evidence
- GitHub issue: #2628
- Fix PR: https://github.com/urllib3/urllib3/pull/2627
- First fixed release: 1.26.10
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.74
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Closed in https://github.com/urllib3/urllib3/pull/2627”
Failure Signature (Search String)
- PyOpenSSLContext.load_cert_chain raises OpenSSL.SSL.Error unwrapped
- This was discovered due to a failure in this test for pytest_httpbin:
Copy-friendly signature
Failure Signature
-----------------
PyOpenSSLContext.load_cert_chain raises OpenSSL.SSL.Error unwrapped
This was discovered due to a failure in this test for pytest_httpbin:
Error Message
Signature-only (no traceback captured)
Error Message
-------------
PyOpenSSLContext.load_cert_chain raises OpenSSL.SSL.Error unwrapped
This was discovered due to a failure in this test for pytest_httpbin:
Environment
- Python: 3.9
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.26.10
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/2627
First fixed release: 1.26.10
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be applied if the error handling behavior is intentionally different.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.26.10 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.