You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello! If you're seeing one of the below messages in DeprecationWarning you're in the right place:
'urllib3[secure]' extra is deprecated and will be removed in a future release of urllib3 2.x.
'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x.
These warnings mean you're using deprecated code. But no worries! You can stop the deprecation warnings by following these steps:
If you're using Python 2.7.10 or later and OpenSSL 1.1.1+ (this is almost everyone) then you won't need the urllib3[secure] extra or urllib3.contrib.pyopenssl module. Both were necessary a long time ago, but aren't necessary any more! You can read more context below if you're interested.
If you're using an old version of Requests (ie <2.26.0) then you should upgrade to a newer version. Requests v2.26.0 stopped using urllib3[secure] and urllib3.contrib.pyopenssl and didn't encounter any issues for users upgrading.
If you're using an old version of Selenium (ie <4.4.3) then you should upgrade to a newer version. Selenium v4.4.1 stopped using urllib3[secure], but only in v4.4.3 was an appropriate dependency on certifi added.
Ensure that you're not installing urllib3[secure] anywhere, either in a requirements.txt or directly. You should remove all instances of [secure] and instead only install urllib3.
Ensure that none of your dependencies are installing the urllib3[secure] extra. We have created a list of projects using the urllib3[secure] extra which we have notified and created a PR for each but not all have responded. If you find additional packages then notifying the package about this issue is appreciated.
Ensure that none of your dependencies are using the urllib3.contrib.pyopenssl module. If you find a package that is using this module then I suggest notifying the package by pointing to this issue. We've decided to undeprecate this module in Undeprecate pyOpenSSL third-party module #3126.
Finally, to silence the DeprecationWarning, uninstall the urllib3-secure-extra package with:
$ python -m pip uninstall urllib3-secure-extra
Context
There are not nearly as many reasons to use the pyOpenSSL TLS implementation as there previously were. The primary motivations behind creating the implementation were to support SNI before it was available in Python's ssl module everywhere. Requests started using this implementation unconditionally by default but two years ago this was changed to only on Python versions without SNI support. I suspect this number is shrinking.
The [secure] extra began as a way to install all dependencies for our pyOpenSSL TLS implementation but now is only an unfortunate misnomer as it's no more secure than our default implementation on all supported Python versions.
My proposal for now is:
Create documentation for pyOpenSSL's deprecation in the docs. We'll be targetting a "future 2.x release" with the actual removal.
Begin unconditionally emitting a DeprecationWarning when urllib3.contrib.pyopenssl.inject_into_urllib3 is called and point to the documentation.
Remove the [secure] extra on as many packages as possible. If any actually require one of the dependencies (pyOpenSSL, certifi, idna) then add that dependency explicitly to their packages' install_requires. Remove use of inject_into_urllib3 if used anywhere in the package.
Search for inject_into_urllib3 on GitHub and see what we find? If there are big projects using it we should alert them.
Timeline for deprecation and removal
In a urllib3 v2.1.0:
Make the [secure] extra empty.
Make the inject_into_urllib3 function raise an exception with a URL to the documentation.
In a version after that:
Remove the [secure] extra
Remove the inject_into_urllib3 function and pyopenssl contrib module.
Are you seeing a DeprecationWarning?
Hello! If you're seeing one of the below messages in
DeprecationWarningyou're in the right place:These warnings mean you're using deprecated code. But no worries! You can stop the deprecation warnings by following these steps:
If you're using Python 2.7.10 or later and OpenSSL 1.1.1+ (this is almost everyone) then you won't need the
urllib3[secure]extra orurllib3.contrib.pyopensslmodule. Both were necessary a long time ago, but aren't necessary any more! You can read more context below if you're interested.If you're using an old version of Requests (ie <2.26.0) then you should upgrade to a newer version. Requests v2.26.0 stopped using
urllib3[secure]andurllib3.contrib.pyopenssland didn't encounter any issues for users upgrading.If you're using an old version of Selenium (ie <4.4.3) then you should upgrade to a newer version. Selenium v4.4.1 stopped using urllib3[secure], but only in v4.4.3 was an appropriate dependency on certifi added.
Ensure that you're not installing
urllib3[secure]anywhere, either in arequirements.txtor directly. You should remove all instances of[secure]and instead only installurllib3.Ensure that your code isn't using theWe've decided to undeprecate this module in Undeprecate pyOpenSSL third-party module #3126.urllib3.contrib.pyopensslmodule.Ensure that none of your dependencies are installing the
urllib3[secure]extra. We have created a list of projects using theurllib3[secure]extra which we have notified and created a PR for each but not all have responded. If you find additional packages then notifying the package about this issue is appreciated.Ensure that none of your dependencies are using theWe've decided to undeprecate this module in Undeprecate pyOpenSSL third-party module #3126.urllib3.contrib.pyopensslmodule. If you find a package that is using this module then I suggest notifying the package by pointing to this issue.Finally, to silence the DeprecationWarning, uninstall the
urllib3-secure-extrapackage with:Context
There are not nearly as many reasons to use the pyOpenSSL TLS implementation as there previously were. The primary motivations behind creating the implementation were to support SNI before it was available in Python's
sslmodule everywhere. Requests started using this implementation unconditionally by default but two years ago this was changed to only on Python versions without SNI support. I suspect this number is shrinking.The
[secure]extra began as a way to install all dependencies for our pyOpenSSL TLS implementation but now is only an unfortunate misnomer as it's no more secure than our default implementation on all supported Python versions.My proposal for now is:
DeprecationWarningwhenurllib3.contrib.pyopenssl.inject_into_urllib3is called and point to the documentation.[secure]extra on as many packages as possible. If any actually require one of the dependencies (pyOpenSSL, certifi, idna) then add that dependency explicitly to their packages'install_requires. Remove use ofinject_into_urllib3if used anywhere in the package.inject_into_urllib3on GitHub and see what we find? If there are big projects using it we should alert them.Timeline for deprecation and removal
In a urllib3 v2.1.0:
[secure]extra empty.inject_into_urllib3function raise an exception with a URL to the documentation.In a version after that:
[secure]extrainject_into_urllib3function andpyopensslcontrib module.