Resolve "cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_'" in AWS Lambda

Problem Statement

When executing Python code on AWS Lambda using layers, you may encounter this runtime error:

{
  "errorMessage": "Unable to import module 'lambda_function': cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_'",
  "errorType": "Runtime.ImportModuleError"
}

This issue typically occurs when:

• Using Python 3.9 runtime (though it can happen in other versions)
• Installing libraries via layers (requests, pandas, beautifulsoup4, etc.)
• Having version conflicts between urllib3, requests, and boto3
• Using urllib3 version ≥2.0 which removed the DEFAULT_CIPHERS attribute

The core problem stems from version incompatibility between urllib3 (v2.0+) and boto3 (AWS SDK), where boto3 hasn't fully adopted the syntax changes introduced in urllib3 2.0.

Recommended Solutions

1. Pin urllib3 Version (Most Reliable Solution)

Restrict urllib3 to versions <2.0 in your layer installation:

pip install urllib3\<2 -t ./python --no-user
pip install requests -t ./python --no-user
pip install pandas -t ./python --no-user
pip install beautifulsoup4 -t ./python --no-user

Zip the layer and apply it to Lambda. This works because:

• Forces compatibility with boto3/botocore
• Maintains modern library versions
• Resolves the missing DEFAULT_CIPHERS import

::tip For requirement.txt based deployments, add:

urllib3<2

::

2. Upgrade Lambda Runtime to Python 3.10+

Newer Python runtimes include updated boto3 versions with urllib3 v2.0+ support:

1. In Lambda Configuration ➔ General configuration ➔ Edit
2. Change runtime to Python 3.10 or 3.11
3. Verify installed versions in Lambda:
   • boto3 ≥1.26.153
   • botocore ≥1.29.153

::warning After changing runtime, re-test all dependencies. Some libraries may require updates. ::

3. Pin Specific requests Version

If older requests dependencies are acceptable (not recommended long-term):

pip install requests==2.28.2 -t ./python --no-user

This installs a requests version with compatible urllib3 dependencies.

4. Docker-Based Installation (For Complex Dependencies)

Build layers using Lambda's Docker image to match AWS environment:

mkdir layer
cp requirements.txt layer/requirements.txt
docker run -ti -v $(pwd)/layer:/app -w /app \ 
  --entrypoint /bin/bash public.ecr.aws/lambda/python:3.11 \
  -c "pip3 install --target ./python -r requirements.txt"
zip -r layer.zip python

::tip Windows PowerShell users Replace $(pwd) with ${pwd} in the Docker command ::

Why These Solutions Work

The DEFAULT_CIPHERS error occurs because:

1. urllib3 2.0 removed DEFAULT_CIPHERS through refactoring
2. Older boto3/botocore versions import this removed attribute
3. Installing default versions of packages like requests pulls urllib3>=2.0

The above solutions address compatibility gaps through: Version Pinning: Explicitly controls dependency versions Runtime Updates: Uses Lambda environments with repaired compatibility Environment Matching: Ensures dependencies match Lambda's execution context

Best Practices for Prevention

1. Always pin critical dependencies in layers/requirements.txt:

   urllib3<2
   boto3>=1.26.153

2. Test layers in AWS SAM local before deployment
3. Regularly update Lambda runtimes to benefit from backported fixes
4. Use dependency isolation:

   import sys
   sys.path.insert(0, '/opt/python')

Example Solution Code

Final working deployment commands:

# Clean previous installs
rm -rf python/

# Install packages with version control
pip install urllib3\<2 -t ./python --no-user
pip install requests -t ./python --no-user
pip install pandas -t ./python --no-user
pip install beautifulsoup4 -t ./python --no-user

# Verify installed versions
./python/bin/pip freeze | grep 'urllib3\|boto3'

# Package layer
zip -r python_layer.zip python

Key Takeaways

1. The root cause is breaking changes in urllib3 ≥2.0 not yet fully supported by AWS SDK
2. Pinning urllib3<2 resolves 90% of cases (simplest solution)
3. Runtime updates to Python 3.10+ provide built-in compatibility
4. Always validate dependency versions within the Lambda environment

Use these solutions to maintain compatibility while AWS updates its SDKs. Regularly check AWS Python Support News for future urllib3 v2 support announcements.