The Fix
pip install urllib3==2.2.0
Based on closed urllib3/urllib3 issue #3287 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -0,0 +1,2 @@
@@ -0,0 +1,2 @@
+Fixed ``HTTPSConnection.is_verified`` to be set to ``False`` when connecting
+from a https proxy to a http target. It was set to ``True`` previously.
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
Option A — Upgrade to fixed release\npip install urllib3==2.2.0\nWhen NOT to use: Do not apply this fix if the proxy behavior is expected to remain unchanged.\n\n
Why This Fix Works in Production
- Trigger: - [ ] Further strict refactoring (zero functional change)
- Mechanism: Ensures that the `HTTPSConnection.is_verified` property is set to `False` when connecting from a HTTPS proxy to an HTTP target, addressing security concerns related to proxy verification.
- Why the fix works: Ensures that the `HTTPSConnection.is_verified` property is set to `False` when connecting from a HTTPS proxy to an HTTP target, addressing security concerns related to proxy verification. (first fixed release: 2.2.0).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Production symptom (often without a traceback): - [ ] Further strict refactoring (zero functional change)
Proof / Evidence
- GitHub issue: #3287
- Fix PR: https://github.com/urllib3/urllib3/pull/3283
- First fixed release: 2.2.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.76
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“I would prefer not to refactor things without a clear reason to, what needs to be refactored? And I am confused why you are linking…”
“> I won't go into this, i am not even reading this I am trying to give you feedback that will improve your experience with…”
“> > I would prefer not to refactor things without a clear reason to, > > Reason: RCFA of several bugs leads clearly to "lack…”
“@abebeos To be clear, you claim to have lots of experience in technology but none of your behaviours exhibit that to me”
Failure Signature (Search String)
- - [ ] Further strict refactoring (zero functional change)
Copy-friendly signature
Failure Signature
-----------------
- [ ] Further strict refactoring (zero functional change)
Error Message
Signature-only (no traceback captured)
Error Message
-------------
- [ ] Further strict refactoring (zero functional change)
What Broke
Security vulnerabilities could arise from improper proxy verification during HTTPS connections.
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==2.2.0
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/3283
First fixed release: 2.2.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not apply this fix if the proxy behavior is expected to remain unchanged.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.2.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.