The Fix
pip install urllib3==2.0.7
Based on closed urllib3/urllib3 issue #2680 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -0,0 +1 @@
@@ -0,0 +1 @@
+Removed support for the urllib3[secure] extra.
diff --git a/dev-requirements.txt b/dev-requirements.txt
index 1679aef27f..845fc98f8a 100644
repro.py
# >>> patch_requests(adapter=False)
# >>> session = requests.Session()
# >>> session.mount('https', HTTPAdapter())
# >>> session.get('https://httpbin.org/get')
if hasattr(requests.packages.urllib3.util.ssl_, '_is_key_file_encrypted'):
_is_key_file_encrypted.original = \
requests.packages.urllib3.util.ssl_._is_key_file_encrypted
requests.packages.urllib3.util.ssl_._is_key_file_encrypted = \
_is_key_file_encrypted
requests.packages.urllib3.util.ssl_.SSLContext = PyOpenSSLContext
if adapter:
requests.sessions.HTTPAdapter = HTTPAdapter
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==2.0.7\nWhen NOT to use: This fix is not applicable if your application relies on the deprecated features.\n\n
Why This Fix Works in Production
- Trigger: 'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x.
- Mechanism: The urllib3[secure] extra is deprecated due to reduced necessity for pyOpenSSL
- Why the fix works: Removes support for the deprecated urllib3[secure] extra, addressing the deprecation warnings users may encounter. (first fixed release: 2.0.7).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Triggered by an upgrade/regression window: 1.1.1 breaks; 2.0.7 is the first fixed release.
- Shows up under Python 2.7.10 in real deployments (not just unit tests).
- The urllib3[secure] extra is deprecated due to reduced necessity for pyOpenSSL
- Production symptom (often without a traceback): 'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x.
Proof / Evidence
- GitHub issue: #2680
- Fix PR: https://github.com/urllib3/urllib3/pull/3147
- First fixed release: 2.0.7
- Affected versions: 1.1.1
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.95
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.59
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“I agree with the maintainers here”
“@webknjaz Thank you for the heads up! Wasn't aware of the requests-toolbelt issue”
“You can make urllib3[secure] depend on something like urllib3-deprecated-secure and then raise a DeprecationWarning if you see that module installed You'll also be able to…”
“@sethmlarson FTR it seems like requests-toolbelt also triggers this code path: https://github.com/requests/toolbelt/blob/69e2487494b7f8a5951ed92ed014137b8381814c/requests_toolbelt/_compat.py#L56”
Failure Signature (Search String)
- 'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x.
- - ~~Ensure that your code isn't using the `urllib3.contrib.pyopenssl` module.~~ We've decided to undeprecate this module in https://github.com/urllib3/urllib3/issues/3126.
Copy-friendly signature
signature.txt
Failure Signature
-----------------
'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x.
- ~~Ensure that your code isn't using the `urllib3.contrib.pyopenssl` module.~~ We've decided to undeprecate this module in https://github.com/urllib3/urllib3/issues/3126.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x.
- ~~Ensure that your code isn't using the `urllib3.contrib.pyopenssl` module.~~ We've decided to undeprecate this module in https://github.com/urllib3/urllib3/issues/3126.
Minimal Reproduction
repro.py
# >>> patch_requests(adapter=False)
# >>> session = requests.Session()
# >>> session.mount('https', HTTPAdapter())
# >>> session.get('https://httpbin.org/get')
if hasattr(requests.packages.urllib3.util.ssl_, '_is_key_file_encrypted'):
_is_key_file_encrypted.original = \
requests.packages.urllib3.util.ssl_._is_key_file_encrypted
requests.packages.urllib3.util.ssl_._is_key_file_encrypted = \
_is_key_file_encrypted
requests.packages.urllib3.util.ssl_.SSLContext = PyOpenSSLContext
if adapter:
requests.sessions.HTTPAdapter = HTTPAdapter
Environment
- Python: 2.7.10
- urllib3: 2
What Broke
Users encounter DeprecationWarnings when using the deprecated urllib3[secure] extra.
Why It Broke
The urllib3[secure] extra is deprecated due to reduced necessity for pyOpenSSL
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==2.0.7
When NOT to use: This fix is not applicable if your application relies on the deprecated features.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/3147
First fixed release: 2.0.7
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix is not applicable if your application relies on the deprecated features.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.1.1 | Broken |
| 2.0.7 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.