FYI, breaking changes in Python urllib3 2.4.0

FYI: urllib3 just released 2.4.0 and there is a breaking change that might affect CI/Testing environments of client authors; it will probably not affect production environments (unless you are using a Private CA).

Now, Python 3.13 versions (and higher) will have stricter settings for SSL verification. I pinned my systems to <2.4.0, and will hopefully have a proper workaround later.

This should not affect Certificates from Public CAs.

For more info, see::

• urllib3/CHANGES.rst at main · urllib3/urllib3 · GitHub
• create_urllib3_context() should set ssl.VERIFY_X509_PARTIAL_CHAIN and ssl.VERIFY_X509_STRICT · Issue #3571 · urllib3/urllib3 · GitHub

I am going to go scream into the void now, because this took far too long to pinpoint. Github's Actions UI cut off the pip freeze debugging line I had on CI to surface breaking changes like this; I only caught this going through the raw logs.

Thanks for posting that! This saved me some time figuring out what went wrong in a broken CI pipeline, and concentrate on fixing it. (I don't like fixing things without understanding why they broke )

I wasted a few hours on this! It took me a while to realize there must have been a dependency change, and even longer to find it.

On my system, it broke against connections to Pebble. The default cert does not have the AKID.