Are you seeing a DeprecationWarning?

Hello! If you're seeing one of the below messages in DeprecationWarning you're in the right place:

'urllib3[secure]' extra is deprecated and will be removed in a future release of urllib3 2.x.

'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x.

These warnings mean you're using deprecated code. But no worries! You can stop the deprecation warnings by following these steps:

• If you're using Python 2.7.10 or later and OpenSSL 1.1.1+ (this is almost everyone) then you won't need the urllib3[secure] extra or urllib3.contrib.pyopenssl module. Both were necessary a long time ago, but aren't necessary any more! You can read more context below if you're interested.

• If you're using an old version of Requests (ie <2.26.0) then you should upgrade to a newer version. Requests v2.26.0 stopped using urllib3[secure] and urllib3.contrib.pyopenssl and didn't encounter any issues for users upgrading.

• If you're using an old version of Selenium (ie <4.4.3) then you should upgrade to a newer version. Selenium v4.4.1 stopped using urllib3[secure], but only in v4.4.3 was an appropriate dependency on certifi added.

• Ensure that you're not installing urllib3[secure] anywhere, either in a requirements.txt or directly. You should remove all instances of [secure] and instead only install urllib3.

• Ensure that your code isn't using the urllib3.contrib.pyopenssl module. We've decided to undeprecate this module in Undeprecate pyOpenSSL third-party module #3126.

• Ensure that none of your dependencies are installing the urllib3[secure] extra. We have created a list of projects using the urllib3[secure] extra which we have notified and created a PR for each but not all have responded. If you find additional packages then notifying the package about this issue is appreciated.

• Ensure that none of your dependencies are using the urllib3.contrib.pyopenssl module. If you find a package that is using this module then I suggest notifying the package by pointing to this issue. We've decided to undeprecate this module in Undeprecate pyOpenSSL third-party module #3126.

• Finally, to silence the DeprecationWarning, uninstall the urllib3-secure-extra package with:

  $ python -m pip uninstall urllib3-secure-extra

Context

There are not nearly as many reasons to use the pyOpenSSL TLS implementation as there previously were. The primary motivations behind creating the implementation were to support SNI before it was available in Python's ssl module everywhere. Requests started using this implementation unconditionally by default but two years ago this was changed to only on Python versions without SNI support. I suspect this number is shrinking.

The [secure] extra began as a way to install all dependencies for our pyOpenSSL TLS implementation but now is only an unfortunate misnomer as it's no more secure than our default implementation on all supported Python versions.

My proposal for now is:

• Create documentation for pyOpenSSL's deprecation in the docs. We'll be targetting a "future 2.x release" with the actual removal.
• Begin unconditionally emitting a DeprecationWarning when urllib3.contrib.pyopenssl.inject_into_urllib3 is called and point to the documentation.
• Remove the [secure] extra on as many packages as possible. If any actually require one of the dependencies (pyOpenSSL, certifi, idna) then add that dependency explicitly to their packages' install_requires. Remove use of inject_into_urllib3 if used anywhere in the package.
• Search for inject_into_urllib3 on GitHub and see what we find? If there are big projects using it we should alert them.

Timeline for deprecation and removal

In a urllib3 v2.1.0:

• Make the [secure] extra empty.
• Make the inject_into_urllib3 function raise an exception with a URL to the documentation.

In a version after that:

• Remove the [secure] extra
• Remove the inject_into_urllib3 function and pyopenssl contrib module.