Change between 1.25.11 and 1.26.2 cause SSL issues for Proxy POST

[nickv2002]

Subject

Recently updated my docker image using Python requests and it broke my proxy communication.

Old python requests version was 2.24.0 which used urllib 1.25
New python requests version is 2.25.0 which used urllib 1.26
Diff of python request version 2.24.0 to 2.25.0

When I make a POST request though a proxy with requests version was 2.25.0 which used urllib 1.26 I now get this error

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.9/site-packages/urllib3/util/retry.py", line 573, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='hooks.slack.com', port=443): Max retries exceeded with url: /services/ABCD/1234 (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1122)')))

Reverting back to requests version was 2.24.0 which used urllib 1.25 makes everything work again

Also I have specified both the target URL and proxy server with https:// URLs.

Environment

From the WORKING version:

>>> print("OS", platform.platform())
OS Linux-4.19.108-120.el7pie-x86_64-with-glibc2.28
>>> print("Python", platform.python_version())
Python 3.9.0
>>> print("urllib3", urllib3.__version__)
urllib3 1.25.11

From the BROKEN version

>>> print("OS", platform.platform())
OS Linux-5.4.39-linuxkit-x86_64-with-glibc2.28
>>> print("Python", platform.python_version())
Python 3.9.0
>>> print("urllib3", urllib3.__version__)
urllib3 1.26.2

Steps to Reproduce

Unfortunately this is on an internal proxy system, but I hope I've helped you narrow things down.

Expected Behavior

Proxy POST accepts valid certs

Actual Behavior

Proxy POST returns error about SSL version number

[sethmlarson]

Hey @nickv2002, thanks for reporting this. Could you provide some extra information about the type of proxy you're using:

• The scheme of the proxy (https/http)
• The scheme of the target websites (https/http)
• If your proxy URL scheme is https: could you try changing it to http and see if that works?

My current guess is that your proxy URL is https but your proxy is actually configured to work like an http proxy. There was previously an issue where even if you specified an https proxy with urllib3 we would contact it like an http proxy (because http.client doesn't support HTTPS proxies until urllib3 added support in v1.26)

cc @jalopezsilva

[pquentin]

If that's the case though, with 1.25.11 you should see an InvalidProxyConfigurationWarning, see #1850 for details.

[akennerly]

@nickv2002 try this:

proxies = {
"http": None,
"https": None,
}

requests.request( [...], proxies=proxies)

I think I had the same problem as you. I moved to requests/2.25.0 and urllib3/1.26.2 and started receiving "[SSL: WRONG_VERSION_NUMBER]". I have a system proxy configured that worked with urllib3 < 1.26.0 without bypassing the proxy.

I don't know yet why 0.126.0 doesn't like my proxy.

[jalopezsilva]

@akennerly are you configuring your proxy through environment variables then? (If you're passing None to the proxies dict).

We suspect this might be an issue with proxy configuration. With urllib3 > 1.26 Your proxy needs to have the right scheme, http:// or https://, depending if it can talk TLS or not.

[akennerly]

@jalopezsilva I am/was not explicitly configuring my proxy via environment variables. It's clear to me now I was using my proxy and didn't realize it. I have looked and I don't even have proxy environment variables configured.

It's unknown to me what method requests was using to determine I had a system proxy configured in IE/Firefox/etc.

[nickv2002]

@sethmlarson thanks for your help here:

Worked on requests version 2.24.0 with urllib 1.25, but not on requests version is 2.25.0 with urllib 1.26:

proxyDict = {'https': 'https://proxy.company.com:443'}
postURL = https://hooks.slack.com/123/ABC

Works now on requests version is 2.25.0 with urllib 1.26:

proxyDict = {'https': 'http://proxy.company.com:443'}
postURL = https://hooks.slack.com/123/ABC

So I think our proxy was just configured to accept HTTP traffic on port 443 but is not actually using HTTPS. It didn't matter in the old version of urllib but matters now with the new 1.26 update.

[vgoklani]

@nickv2002 's solution worked for me too, thanks!

[sethmlarson]

Closing this as not an issue in urllib3, thanks all for the investigation.