Newest version cause DeprecationWarning: 'urllib3.contrib.pyopenssl' module is deprecated
See original GitHub issueDescribe the bug
Fresh installation cause warning:
DeprecationWarning: 'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x. Read more in this issue: https://github.com/urllib3/urllib3/issues/2680
That warning somehow cause, that pytest
does not start tests.
Expected Behavior
import of botocore should not issue that warning
Current Behavior
DeprecationWarning
is issued
Reproduction Steps
after fresh installation:
(sf-new) [1]17:00:19:~/workspace/$ python -m botocore.httpsession
/home/darek/workspace/sf-new/lib/python3.10/site-packages/botocore/httpsession.py:41: DeprecationWarning: 'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x. Read more in this issue: https://github.com/urllib3/urllib3/issues/2680
from urllib3.contrib.pyopenssl import orig_util_SSLContext as SSLContext
Possible Solution
avoid import of urllib3.contrib.pyopenssl
, for more see:
https://github.com/urllib3/urllib3/issues/2680
Additional Information/Context
Workaround: enforcing version urllib3==1.26.9
solve that issue
SDK version used
Python 3.10.4 botocore 1.27.56
Environment details (OS name and version, etc.)
Linux darek-dell 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Issue Analytics
- State:
- Created a year ago
- Reactions:5
- Comments:7 (5 by maintainers)
Top Results From Across the Web
v2.0 Migration Guide - urllib3 2.0.0a1 documentation
Deprecated the urllib3.contrib.pyopenssl ... users' dependencies which will then cause issues with them upgrading to the latest version of your package.
Read more >cannot resolve urllib3 version issue - python
When I instead install version 1.26.3, it says that it is incompatible and requires 1.26.8. I keep going back and forth, it is...
Read more >urllib3 Changelog
Outdated versions of PyOpenSSL now cause the PyOpenSSL contrib module to fail when it is injected, rather than at first use. (Pull 1063)...
Read more >Tweets with replies by urllib3 (@urllib3) ...
That's a lot of DeprecationWarnings! If you see the "urllib3-secure-extra" package it means somewhere in your dependencies urllib3[secure] is being installed ...
Read more >urllib3 [python-library]
urllib3 is a powerful, user-friendly HTTP client for Python. ... Outdated versions of PyOpenSSL now cause the PyOpenSSL contrib module to fail when...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi @ddzialak,
Botocore doesn’t use pyopenssl, we have intentionally patched it to always use the standard library version of SSLContext. There’s a lingering import from the pyopenssl module for backwards compatibility which appears to be triggering the warning.
If we were impacted we’re already pinned to
urllib3<1.27
but this deprecation won’t take effect untilurllib3==2.0
. We’ll take a look at getting the warning suppressed, thanks for letting us know!Apologies if my last comment was unclear. This import is specifically to not use pyopenssl and avoid its import if present. We are working around a behavior of older versions of requests/urllib3, botocore has never used pyopenssl.
A simplified example of how this happens in production systems:
urllib3 patches the value of SSLContext when
inject_into_urllib3
is called to use PyOpenSSL if present. This has been fixed in newer versions of requests/urllib3, but not everyone has upgraded. Until urllib3 2.0 is the minimum supported version, this needs to stay in place, otherwise we will be increasing the usage of PyOpenSSL. That’s not an acceptable security regression for botocore.From the urllib3 team’s perspective, we actively test botocore in the urllib3 test suite itself. This is a known import that is safe behavior, so the warning doesn’t apply. Suppressing it is the best option to avoid misleading noise. The code already handles the upcoming removal gracefully.