The Fix
pip install urllib3==1.25
Based on closed urllib3/urllib3 issue #529 · PR/commit linked
@@ -50,6 +50,7 @@ class SocketServerThread(threading.Thread):
ready_event=None):
threading.Thread.__init__(self)
+ self.daemon = True
self.socket_handler = socket_handler
import flask
app = flask.Flask(__name__)
@app.route('/')
def index():
return "haha!"
app.run(ssl_context='adhoc')
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: Do not use this fix if the application relies on keeping connections open for other purposes.\n\n
Why This Fix Works in Production
- Trigger: urllib3 keeps connection open after failed fingerprint validation
- Mechanism: Connections were not closed properly after a failed fingerprint validation
- Why the fix works: Fixes the issue where urllib3 keeps connections open after a failed fingerprint validation by ensuring connections are closed in such cases. (first fixed release: 1.25).
- If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).
Why This Breaks in Prod
- Connections were not closed properly after a failed fingerprint validation
- Production symptom (often without a traceback): urllib3 keeps connection open after failed fingerprint validation
Proof / Evidence
- GitHub issue: #529
- Fix PR: https://github.com/urllib3/urllib3/pull/532
- First fixed release: 1.25
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.75
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“+1 to closing connections after a failed validation. Should be reasonably easy to port this test to our test_socketlevel.py suite. @untitaker Would you like to…”
“Also, here's a simple Flask app which will suffice for this test:”
“Yes, but please don't expect results until next week.”
“@untitaker This is open source, we expect nothing but love. :)”
Failure Signature (Search String)
- urllib3 keeps connection open after failed fingerprint validation
- p = PoolManager(assert_fingerprint=fingerprint)
Copy-friendly signature
Failure Signature
-----------------
urllib3 keeps connection open after failed fingerprint validation
p = PoolManager(assert_fingerprint=fingerprint)
Error Message
Signature-only (no traceback captured)
Error Message
-------------
urllib3 keeps connection open after failed fingerprint validation
p = PoolManager(assert_fingerprint=fingerprint)
Minimal Reproduction
import flask
app = flask.Flask(__name__)
@app.route('/')
def index():
return "haha!"
app.run(ssl_context='adhoc')
What Broke
Connections remained open, causing the server to become unresponsive after a validation failure.
Why It Broke
Connections were not closed properly after a failed fingerprint validation
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.25
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/532
First fixed release: 1.25
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if the application relies on keeping connections open for other purposes.
Verify Fix
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.25 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.