Jump to solution
Verify

urllib3 Incorrect behaviour of `proxy_is_verified` (Fix)

Fixed
Spec
Package
urllib3
Fixed In
2.2.0
Python
3.10.12
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.69
#3130 ai tls Updated: 2026-02-13
Issue #3130

The Fix

pip install urllib3==2.2.0

Based on closed urllib3/urllib3 issue #3130 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -0,0 +1,3 @@ @@ -0,0 +1,3 @@ +Fixed ``HTTPConnection.proxy_is_verified`` and ``HTTPSConnection.proxy_is_verified`` +to be always set to a boolean after connecting to a proxy. It could be +``None`` in some cases previously.
repro.py
import platform import ssl import urllib3 print("OS", platform.platform()) # OS macOS-13.4.1-arm64-arm-64bit print("Python", platform.python_version()) # Python 3.10.12 print(ssl.OPENSSL_VERSION) # OpenSSL 3.1.1 30 May 2023 print("urllib3", urllib3.__version__) # urllib3 1.26.14
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==2.2.0\nWhen NOT to use: Do not use this fix if the application requires strict verification for proxy connections.\n\n

Why This Fix Works in Production

  • Trigger: Incorrect behaviour of `proxy_is_verified`
  • Mechanism: The `proxy_is_verified` value is not set correctly for HTTPS to HTTP proxy connections
  • Why the fix works: Set proper `proxy_is_verified` value after connecting to proxy, ensuring it is always a boolean. (first fixed release: 2.2.0).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.10.12 in real deployments (not just unit tests).
  • The `proxy_is_verified` value is not set correctly for HTTPS to HTTP proxy connections
  • Production symptom (often without a traceback): Incorrect behaviour of `proxy_is_verified`

Proof / Evidence

  • GitHub issue: #3130
  • Fix PR: https://github.com/urllib3/urllib3/pull/3266
  • First fixed release: 2.2.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.75
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.69

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Hey folks, I would like to solve this. lt will help unblock #3070”
@tushar5526 · 2023-09-20 · source

Failure Signature (Search String)

  • Incorrect behaviour of `proxy_is_verified`
  • print(ssl.OPENSSL_VERSION) # OpenSSL 3.1.1 30 May 2023
Copy-friendly signature
signature.txt
Failure Signature ----------------- Incorrect behaviour of `proxy_is_verified` print(ssl.OPENSSL_VERSION) # OpenSSL 3.1.1 30 May 2023

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Incorrect behaviour of `proxy_is_verified` print(ssl.OPENSSL_VERSION) # OpenSSL 3.1.1 30 May 2023

Minimal Reproduction

repro.py
import platform import ssl import urllib3 print("OS", platform.platform()) # OS macOS-13.4.1-arm64-arm-64bit print("Python", platform.python_version()) # Python 3.10.12 print(ssl.OPENSSL_VERSION) # OpenSSL 3.1.1 30 May 2023 print("urllib3", urllib3.__version__) # urllib3 1.26.14

Environment

  • Python: 3.10.12
  • urllib3: 1.26.14

What Broke

HTTPS proxy connections to HTTP hosts result in `proxy_is_verified` being set to None, causing potential security issues.

Why It Broke

The `proxy_is_verified` value is not set correctly for HTTPS to HTTP proxy connections

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==2.2.0

When NOT to use: Do not use this fix if the application requires strict verification for proxy connections.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/3266

First fixed release: 2.2.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if the application requires strict verification for proxy connections.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
2.2.0 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #3130. Not affiliated with the library maintainers. Verify before production use.