From 7d13b6f00c7bdbcb1def445e14f9bb00f08d729a Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth.larson@elastic.co>
Date: Thu, 30 Apr 2020 08:55:53 -0500
Subject: [PATCH 1/2] Don't use pyOpenSSL unless no SNI is detected

---
 requests/__init__.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/requests/__init__.py b/requests/__init__.py
index 626247cbba..db090aa70a 100644
--- a/requests/__init__.py
+++ b/requests/__init__.py
@@ -90,14 +90,22 @@ def _check_cryptography(cryptography_version):
                   "version!".format(urllib3.__version__, chardet.__version__),
                   RequestsDependencyWarning)
 
-# Attempt to enable urllib3's SNI support, if possible
+# Attempt to enable urllib3's fallback for SNI support
+# if the standard library doesn't support SNI or the
+# 'ssl' library isn't available.
 try:
-    from urllib3.contrib import pyopenssl
-    pyopenssl.inject_into_urllib3()
+    try:
+        import ssl
+    except ImportError:
+        ssl = None
+
+    if not getattr(ssl, "HAS_SNI", False):
+        from urllib3.contrib import pyopenssl
+        pyopenssl.inject_into_urllib3()
 
-    # Check cryptography version
-    from cryptography import __version__ as cryptography_version
-    _check_cryptography(cryptography_version)
+        # Check cryptography version
+        from cryptography import __version__ as cryptography_version
+        _check_cryptography(cryptography_version)
 except ImportError:
     pass
 

From e47debf206c9995a56b66ddf0946ba35a825256d Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Fri, 1 May 2020 18:24:51 -0500
Subject: [PATCH 2/2] Add changelog entry for pyOpenSSL change

---
 HISTORY.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/HISTORY.md b/HISTORY.md
index e047adb67f..0b051612bd 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -4,9 +4,14 @@ Release History
 dev
 ---
 
-**Bugfixes**
+**Improvements**
+
+- pyOpenSSL TLS implementation is now only used if Python
+  either doesn't have an `ssl` module or doesn't support
+  SNI. Previously pyOpenSSL was unconditionally used if available.
+  This applies even if pyOpenSSL is installed via the
+  `requests[security]` extra (#5443)
 
--   \[Short description of non-trivial change.\]
 
 2.23.0 (2020-02-19)
 -------------------