The Fix
pip install urllib3==1.25
Based on closed urllib3/urllib3 issue #3051 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -64,5 +64,8 @@ In chronological order:
* Fixed pickle support of some exceptions
+* Boris Figovsky <[email protected]>
+ * Allowed to skip SSL hostname verification
+
repro.py
# Requests references passed from calling code.
from requests.adapters import HTTPAdapter, DEFAULT_POOLBLOCK
class IgnoreHostnameAdapter(HTTPAdapter):
def init_poolmanager(self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool_kwargs):
pool_kwargs['assert_hostname'] = False
super(IgnoreHostnameAdapter, self).init_poolmanager(connections=connections, maxsize=maxsize, block=block, **pool_kwargs)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: This fix should not be used if strict hostname verification is required for security.\n\n
Why This Fix Works in Production
- Trigger: v2.x : Breaks `assert_hostname = False`
- Mechanism: This commit enables the use of `assert_hostname=False` to disable SSL hostname verification.
- Why the fix works: This commit enables the use of `assert_hostname=False` to disable SSL hostname verification. (first fixed release: 1.25).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Production symptom (often without a traceback): v2.x : Breaks `assert_hostname = False`
Proof / Evidence
- GitHub issue: #3051
- Fix PR: https://github.com/urllib3/urllib3/pull/194
- First fixed release: 1.25
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.52
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Hello, assert_hostname=False is definitely supposed to work: we even have an unit test for it. I'll try to reproduce locally.”
“I've been having a look this morning”
“I believe this feature is indeed not working correctly in v2.0, check_hostname isn't set to False before the handshake proceeds in the case that we're…”
“Some work in progress, it's coming down to this function in ssl.py SSLSocket.do_handshake()”
Failure Signature (Search String)
- v2.x : Breaks `assert_hostname = False`
- If I upgrade to urllib3 v2.x then my disabling of hostname checking code (based upon `assert_hostname = False` as per https://github.com/urllib3/urllib3/pull/194 and
Copy-friendly signature
signature.txt
Failure Signature
-----------------
v2.x : Breaks `assert_hostname = False`
If I upgrade to urllib3 v2.x then my disabling of hostname checking code (based upon `assert_hostname = False` as per https://github.com/urllib3/urllib3/pull/194 and https://github.com/psf/requests/pull/1405) no longer works in v2.x.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
v2.x : Breaks `assert_hostname = False`
If I upgrade to urllib3 v2.x then my disabling of hostname checking code (based upon `assert_hostname = False` as per https://github.com/urllib3/urllib3/pull/194 and https://github.com/psf/requests/pull/1405) no longer works in v2.x.
Minimal Reproduction
repro.py
# Requests references passed from calling code.
from requests.adapters import HTTPAdapter, DEFAULT_POOLBLOCK
class IgnoreHostnameAdapter(HTTPAdapter):
def init_poolmanager(self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool_kwargs):
pool_kwargs['assert_hostname'] = False
super(IgnoreHostnameAdapter, self).init_poolmanager(connections=connections, maxsize=maxsize, block=block, **pool_kwargs)
Environment
- urllib3: 2
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.25
When NOT to use: This fix should not be used if strict hostname verification is required for security.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/194
First fixed release: 1.25
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if strict hostname verification is required for security.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.25 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.