urllib3 Need to update error handling for pyOpenSSL (Fix)

The Fix

pip install urllib3==1.25

Based on closed urllib3/urllib3 issue #556 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Open PR/Commit

@@ -182,7 +182,7 @@ def recv(self, *args, **kwargs):
                 return b''
             else:
-                raise SocketError(e)
+                raise SocketError(str(e))
         except OpenSSL.SSL.ZeroReturnError as e:

fix.md

Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: This fix should not be applied if backward compatibility with older Python versions is required.\n\n

Why This Fix Works in Production

Trigger: TypeError: __str__ returned non-string (type SysCallError)
Mechanism: The SSLError handling in urllib3 does not properly cast OpenSSL errors to strings
Why the fix works: Resolves issue #556 by casting OpenSSL errors to strings to improve error handling. (first fixed release: 1.25).

Production impact:

If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

Shows up under Python 2.6 in real deployments (not just unit tests).
The SSLError handling in urllib3 does not properly cast OpenSSL errors to strings
Surfaces as: TypeError: __str__ returned non-string (type SysCallError)

Proof / Evidence

GitHub issue: #556
Fix PR: https://github.com/urllib3/urllib3/pull/792
First fixed release: 1.25
Reproduced locally: No (not executed)
Last verified: 2026-02-09
Confidence: 0.85
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.73

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“Yea that whole process is voodoo. :/ Open to basically any kind of change. What do you have in mind?”

@shazow · 2015-02-28 · source

“Somedays I wonder if we should just fork out to golang. :P”

@shazow · 2015-02-28 · source

“A note that pyOpenSSL is no longer required for SNI in Python 2.7.9. =) Obviously I don't think that removes it from the support matrix,…”

@Lukasa · 2015-02-28 · source

“Right. I was just trying to see if that would help with the problem the user was encountering with apissl.cloudfactory.com. Works just fine otherwise but…”

@sigmavirus24 · 2015-02-28 · source

Failure Signature (Search String)

TypeError: __str__ returned non-string (type SysCallError)

Error Message

Stack trace

error.txt

Error Message
-------------
TypeError: __str__ returned non-string (type SysCallError)

Stack trace

error.txt

Error Message
-------------
requests.exceptions.ConnectionError: (<requests.packages.urllib3.connectionpool.HTTPSConnectionPool object at 0x7f3999ba18d0>, '/', "[('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]")

Environment

Python: 2.6

What Broke

Users experience connection errors with unclear messages when invalid certificates are encountered.

Why It Broke

The SSLError handling in urllib3 does not properly cast OpenSSL errors to strings

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25

When NOT to use: This fix should not be applied if backward compatibility with older Python versions is required.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Option D — Guard side-effects with OnceOnly Guardrail for side-effects

Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.

Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.

Show example snippet (optional)

onceonly.py

from onceonly import OnceOnly
import os

once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)

# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..."  # replace
key = f"stripe:webhook:{event_id}"

res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
    return {"status": "already_processed"}

# Safe to execute the side-effect exactly once.
handle_event(event_id)

See OnceOnly SDK

When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Fix reference: https://github.com/urllib3/urllib3/pull/792

First fixed release: 1.25

Last verified: 2026-02-09. Validate in your environment.

When NOT to Use This Fix

This fix should not be applied if backward compatibility with older Python versions is required.
Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

Version	Status
1.25	Fixed

Related Issues

No related fixes found.

Cluster: urllib3:configuration-error urllib3 hub urllib3 best practices All hubs All clusters

Related clusters: Data consistency SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.