The Fix
pip install urllib3==1.25
Based on closed urllib3/urllib3 issue #791 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -1,5 +1,6 @@
@@ -1,5 +1,6 @@
language: python
-script: tox
+script:
+ - ./_travis/travis-run.sh
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: This fix should not be used if PyOpenSSL is not required for your application.\n\n
Why This Fix Works in Production
- Trigger: Add PyOpenSSL tests to the regular test runs.
- Mechanism: The PyOpenSSL compatibility layer was not tested under Python 3 due to lack of support
- Why the fix works: Enables testing of the PyOpenSSL logic in urllib3's CI and testing frameworks, including support for Python 3. (first fixed release: 1.25).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The PyOpenSSL compatibility layer was not tested under Python 3 due to lack of support
- Production symptom (often without a traceback): Add PyOpenSSL tests to the regular test runs.
Proof / Evidence
- GitHub issue: #791
- Fix PR: https://github.com/urllib3/urllib3/pull/795
- First fixed release: 1.25
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.79
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“I just noticed that our PyOpenSSL compatibility layer doesn't get tested under Python 3”
“Lack of PyOpenSSL support causes malfunction in requests under Python 3 https://github.com/kennethreitz/requests/issues/3006”
Failure Signature (Search String)
- Add PyOpenSSL tests to the regular test runs.
- While we're there, we should add `TestSSL` to the import from `test_socketlevel`, as the `SSL` tests are probably a good thing to have run under PyOpenSSL as well!
Copy-friendly signature
Failure Signature
-----------------
Add PyOpenSSL tests to the regular test runs.
While we're there, we should add `TestSSL` to the import from `test_socketlevel`, as the `SSL` tests are probably a good thing to have run under PyOpenSSL as well!
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Add PyOpenSSL tests to the regular test runs.
While we're there, we should add `TestSSL` to the import from `test_socketlevel`, as the `SSL` tests are probably a good thing to have run under PyOpenSSL as well!
What Broke
Lack of PyOpenSSL support causes malfunction in requests under Python 3.
Why It Broke
The PyOpenSSL compatibility layer was not tested under Python 3 due to lack of support
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.25
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/795
First fixed release: 1.25
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if PyOpenSSL is not required for your application.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.25 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.