diff -Nru python-urllib3-1.7.1/debian/changelog python-urllib3-1.7.1/debian/changelog
--- python-urllib3-1.7.1/debian/changelog	2015-03-17 19:52:53.000000000 +0000
+++ python-urllib3-1.7.1/debian/changelog	2015-10-12 16:07:15.000000000 +0000
@@ -1,3 +1,10 @@
+python-urllib3 (1.7.1-1ubuntu4) trusty-proposed; urgency=medium
+
+  * SRU: LP: #1500768.
+  * Backport pull request #385, fixing TLS verification when using a proxy.
+
+ -- Matthias Klose <doko@ubuntu.com>  Mon, 12 Oct 2015 18:03:36 +0200
+
 python-urllib3 (1.7.1-1ubuntu3) trusty-proposed; urgency=medium
 
   * SRU, update python3.4 for trusty. LP: #1348954.
diff -Nru python-urllib3-1.7.1/debian/patches/series python-urllib3-1.7.1/debian/patches/series
--- python-urllib3-1.7.1/debian/patches/series	2015-03-17 23:34:31.000000000 +0000
+++ python-urllib3-1.7.1/debian/patches/series	2015-10-12 16:07:35.000000000 +0000
@@ -6,3 +6,4 @@
 setuptools.patch
 no-sslv3.diff
 use-setuptools-for-wheel-only.diff
+tls-verification.diff
diff -Nru python-urllib3-1.7.1/debian/patches/tls-verification.diff python-urllib3-1.7.1/debian/patches/tls-verification.diff
--- python-urllib3-1.7.1/debian/patches/tls-verification.diff	1970-01-01 00:00:00.000000000 +0000
+++ python-urllib3-1.7.1/debian/patches/tls-verification.diff	2015-10-12 16:24:05.000000000 +0000
@@ -0,0 +1,32 @@
+Index: b/urllib3/connectionpool.py
+===================================================================
+--- a/urllib3/connectionpool.py
++++ b/urllib3/connectionpool.py
+@@ -124,12 +124,17 @@
+             self._tunnel()
+             self.auto_open = 0
+ 
++            # The name of the host we're requesting data from.
++            actual_host = self._tunnel_host
++        else:
++            actual_host = self.host
++
+         # Wrap socket using verification with the root certs in
+         # trusted_root_certs
+         self.sock = ssl_wrap_socket(sock, self.key_file, self.cert_file,
+                                     cert_reqs=resolved_cert_reqs,
+                                     ca_certs=self.ca_certs,
+-                                    server_hostname=self.host,
++                                    server_hostname=actual_host,
+                                     ssl_version=resolved_ssl_version)
+ 
+         if resolved_cert_reqs != ssl.CERT_NONE:
+@@ -138,7 +143,7 @@
+                                    self.assert_fingerprint)
+             elif self.assert_hostname is not False:
+                 match_hostname(self.sock.getpeercert(),
+-                               self.assert_hostname or self.host)
++                               self.assert_hostname or actual_host)
+ 
+ 
+ ## Pool objects