The Fix
pip install urllib3==2.0.0a4
Based on closed urllib3/urllib3 issue #2970 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -0,0 +1 @@
@@ -0,0 +1 @@
+fix ``urllib3.contrib.pyopenssl.WrappedSocket`` and ``urllib3.contrib.securetransport.WrappedSocket`` close
diff --git a/src/urllib3/contrib/pyopenssl.py b/src/urllib3/contrib/pyopenssl.py
index 8ff0326b4d..0089cd27e0 100644
repro.py
def _real_close(self, _ss=_socket.socket):
# This function should not reference any globals. See issue https://github.com/python/cpython/issues/808164.
_ss.close(self)
def close(self):
# This function should not reference any globals. See issue https://github.com/python/cpython/issues/808164.
self._closed = True
if self._io_refs <= 0:
self._real_close()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==2.0.0a4\nWhen NOT to use: Do not use this fix if the socket management logic is altered elsewhere in the application.\n\n
Why This Fix Works in Production
- Trigger: pyopenssl.WrappedSocket and secureransport.WrappedSocket close implementation broken
- Mechanism: The close methods incorrectly decrementing _io_refs causes improper socket closure
- Why the fix works: Fixes the close implementation for pyopenssl.WrappedSocket and securetransport.WrappedSocket to prevent ResourceWarning and ensure proper socket closure. (first fixed release: 2.0.0a4).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The close methods incorrectly decrementing _io_refs causes improper socket closure
- Production symptom (often without a traceback): pyopenssl.WrappedSocket and secureransport.WrappedSocket close implementation broken
Proof / Evidence
- GitHub issue: #2970
- Fix PR: https://github.com/urllib3/urllib3/pull/2974
- First fixed release: 2.0.0a4
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.62
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“I have a fix in #2842 to fix the ResourceWarning https://github.com/urllib3/urllib3/blob/45cd5c88677f93cfdb2da5ccd9d631c004661fb1/src/urllib3/contrib/securetransport.py#L631-L650 https://github.com/urllib3/urllib3/blob/45cd5c88677f93cfdb2da5ccd9d631c004661fb1/”
“the issue is caused by the close methods incorrectly dec-refing _io_refs https://github.com/urllib3/urllib3/blob/f8fada5ed479e0e6b8440c819632b3a8c040cf65/src/urllib3/contrib/pyopenssl.py#L382-L390 https://github.com/urllib3/urllib3/blob/f8fada5ed479e0e6b8440c8”
Failure Signature (Search String)
- pyopenssl.WrappedSocket and secureransport.WrappedSocket close implementation broken
- calling `ssl_sock.close()` with a makefile open doesn't close the socket when the makefile closes, resulting in a ResourceWarning:
Copy-friendly signature
signature.txt
Failure Signature
-----------------
pyopenssl.WrappedSocket and secureransport.WrappedSocket close implementation broken
calling `ssl_sock.close()` with a makefile open doesn't close the socket when the makefile closes, resulting in a ResourceWarning:
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
pyopenssl.WrappedSocket and secureransport.WrappedSocket close implementation broken
calling `ssl_sock.close()` with a makefile open doesn't close the socket when the makefile closes, resulting in a ResourceWarning:
Minimal Reproduction
repro.py
def _real_close(self, _ss=_socket.socket):
# This function should not reference any globals. See issue https://github.com/python/cpython/issues/808164.
_ss.close(self)
def close(self):
# This function should not reference any globals. See issue https://github.com/python/cpython/issues/808164.
self._closed = True
if self._io_refs <= 0:
self._real_close()
What Broke
ResourceWarning is raised when sockets are not closed properly, leading to potential resource leaks.
Why It Broke
The close methods incorrectly decrementing _io_refs causes improper socket closure
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==2.0.0a4
When NOT to use: Do not use this fix if the socket management logic is altered elsewhere in the application.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/2974
First fixed release: 2.0.0a4
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if the socket management logic is altered elsewhere in the application.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.0.0a4 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.