The Fix
pip install urllib3==2.0.5
Based on closed urllib3/urllib3 issue #3126 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -0,0 +1 @@
@@ -0,0 +1 @@
+Undeprecated pyOpenSSL third-party module.
diff --git a/docs/reference/contrib/pyopenssl.rst b/docs/reference/contrib/pyopenssl.rst
index a7425b3ddf..03cda714f6 100644
Option A — Upgrade to fixed release\npip install urllib3==2.0.5\nWhen NOT to use: This fix should not be used if pyOpenSSL is not required for your application.\n\n
Why This Fix Works in Production
- Trigger: Undeprecate pyOpenSSL third-party module
- Mechanism: The pyOpenSSL module was deprecated but is needed for in-memory certificates support
- Why the fix works: Undeprecates the pyOpenSSL third-party module, ensuring it remains part of urllib3 in v2.1.0. (first fixed release: 2.0.5).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The pyOpenSSL module was deprecated but is needed for in-memory certificates support
- Production symptom (often without a traceback): Undeprecate pyOpenSSL third-party module
Proof / Evidence
- GitHub issue: #3126
- Fix PR: https://github.com/urllib3/urllib3/pull/3127
- First fixed release: 2.0.5
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.95
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.77
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“@pquentin, @illia-v and I discussed the current state of the pyOpenSSL module: - There hasn't been any community effort that we know of to pull the pyOpenSSL module out of urllib3 and support it elsewhere. - There hasn't been any addition t”
Failure Signature (Search String)
- Undeprecate pyOpenSSL third-party module
Copy-friendly signature
Failure Signature
-----------------
Undeprecate pyOpenSSL third-party module
@pquentin, @illia-v and I discussed the current state of the pyOpenSSL module:
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Undeprecate pyOpenSSL third-party module
@pquentin, @illia-v and I discussed the current state of the pyOpenSSL module:
Environment
- urllib3: 2.0
Why It Broke
The pyOpenSSL module was deprecated but is needed for in-memory certificates support
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==2.0.5
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/3127
First fixed release: 2.0.5
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if pyOpenSSL is not required for your application.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.0.5 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.