monkey patching of urllib3

[christopher-hesse]

I'm using urllib3 and recently ran into an issue where my library would fail if pyopenssl was installed and requests was imported (by some other library).

  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/request.py", line 72, in request
    **urlopen_kw)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/request.py", line 150, in request_encode_body
    return self.urlopen(method, url, **extra_kw)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/poolmanager.py", line 326, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 641, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/util/retry.py", line 344, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/packages/six.py", line 685, in reraise
    raise value.with_traceback(tb)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 603, in urlopen
    chunked=chunked)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
    self._validate_conn(conn)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
    conn.connect()
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/connection.py", line 370, in connect
    ssl_context=context)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 355, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/root/miniconda3/envs/env/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 478, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",)

This error happens when connecting to any https domain and is likely due to some mis-configured certs (though it happened on two unrelated linux machines I ran it on), but this behavior only occurs when pyopenssl is installed and requests is imported, so it's hard to test for something like this.

It looks like requests monkey patches urllib3:

requests/requests/__init__.py

Line 93 in 3e7d0a8

# Attempt to enable urllib3's SNI support, if possible

Now that I know this, I could have my library require requests, import requests, and then run urllib3.contrib.pyopenssl.extract_from_urllib3() to reverse-monkey-patch urllib3, but this seems roundabout.

Is there any reason this is enabled for versions of python > 3.2? I think a decent fix to me is that the monkey patching code is only run on the versions of python that require it.

[RasmusMathiesen]

I have this issue too, thank you for the workaround!
Couldn't find this issue on google, so here are some keywords for future googlers: requests urllib3 ssl error pyopenssl

And a few lines of code that reproduce the error, uncomment to enable workaround:

import requests
import urllib3

# urllib3.contrib.pyopenssl.extract_from_urllib3()

http = urllib3.PoolManager()
r = http.request('GET', "https://www.google.com/")

[nateprewitt]

This was resolved in #5443 and Requests no longer attempts this unless ssl isn't available through Python.