diff --git a/script.module.urllib3/addon.xml b/script.module.urllib3/addon.xml
index f3963e081..ba44388be 100644
--- a/script.module.urllib3/addon.xml
+++ b/script.module.urllib3/addon.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<addon id="script.module.urllib3" name="urllib3" version="1.26.18" provider-name="urllib3">
+<addon id="script.module.urllib3" name="urllib3" version="1.26.20" provider-name="urllib3">
   <requires>
     <import addon="xbmc.python" version="2.25.0" />
   </requires>
diff --git a/script.module.urllib3/lib/urllib3/_version.py b/script.module.urllib3/lib/urllib3/_version.py
index 85e725eaf..d49df2a0c 100644
--- a/script.module.urllib3/lib/urllib3/_version.py
+++ b/script.module.urllib3/lib/urllib3/_version.py
@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.18"
+__version__ = "1.26.20"
diff --git a/script.module.urllib3/lib/urllib3/connection.py b/script.module.urllib3/lib/urllib3/connection.py
index 54b96b191..de35b63d6 100644
--- a/script.module.urllib3/lib/urllib3/connection.py
+++ b/script.module.urllib3/lib/urllib3/connection.py
@@ -68,7 +68,7 @@ class BrokenPipeError(Exception):
 
 # When it comes time to update this value as a part of regular maintenance
 # (ie test_recent_date is failing) update it to ~6 months before the current date.
-RECENT_DATE = datetime.date(2022, 1, 1)
+RECENT_DATE = datetime.date(2024, 1, 1)
 
 _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
 
@@ -437,7 +437,7 @@ def connect(self):
             and self.ssl_version is None
             and hasattr(self.sock, "version")
             and self.sock.version() in {"TLSv1", "TLSv1.1"}
-        ):
+        ):  # Defensive:
             warnings.warn(
                 "Negotiating TLSv1/TLSv1.1 by default is deprecated "
                 "and will be disabled in urllib3 v2.0.0. Connecting to "
diff --git a/script.module.urllib3/lib/urllib3/connectionpool.py b/script.module.urllib3/lib/urllib3/connectionpool.py
index 5a6adcbdc..0872ed770 100644
--- a/script.module.urllib3/lib/urllib3/connectionpool.py
+++ b/script.module.urllib3/lib/urllib3/connectionpool.py
@@ -423,12 +423,13 @@ def _make_request(
             pass
         except IOError as e:
             # Python 2 and macOS/Linux
-            # EPIPE and ESHUTDOWN are BrokenPipeError on Python 2, and EPROTOTYPE is needed on macOS
+            # EPIPE and ESHUTDOWN are BrokenPipeError on Python 2, and EPROTOTYPE/ECONNRESET are needed on macOS
             # https://erickt.github.io/blog/2014/11/19/adventures-in-debugging-a-potential-osx-kernel-bug/
             if e.errno not in {
                 errno.EPIPE,
                 errno.ESHUTDOWN,
                 errno.EPROTOTYPE,
+                errno.ECONNRESET,
             }:
                 raise
 
@@ -768,7 +769,9 @@ def _is_ssl_error_message_from_http_proxy(ssl_error):
                 # so we try to cover our bases here!
                 message = " ".join(re.split("[^a-z]", str(ssl_error).lower()))
                 return (
-                    "wrong version number" in message or "unknown protocol" in message
+                    "wrong version number" in message
+                    or "unknown protocol" in message
+                    or "record layer failure" in message
                 )
 
             # Try to detect a common user error with proxies which is to
diff --git a/script.module.urllib3/lib/urllib3/util/retry.py b/script.module.urllib3/lib/urllib3/util/retry.py
index 60ef6c4f3..9a1e90d0b 100644
--- a/script.module.urllib3/lib/urllib3/util/retry.py
+++ b/script.module.urllib3/lib/urllib3/util/retry.py
@@ -235,7 +235,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
 
     #: Default headers to be used for ``remove_headers_on_redirect``
-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
 
     #: Maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
diff --git a/script.module.urllib3/lib/urllib3/util/ssl_.py b/script.module.urllib3/lib/urllib3/util/ssl_.py
index 8f867812a..f26809c76 100644
--- a/script.module.urllib3/lib/urllib3/util/ssl_.py
+++ b/script.module.urllib3/lib/urllib3/util/ssl_.py
@@ -1,11 +1,11 @@
 from __future__ import absolute_import
 
+import hashlib
 import hmac
 import os
 import sys
 import warnings
 from binascii import hexlify, unhexlify
-from hashlib import md5, sha1, sha256
 
 from ..exceptions import (
     InsecurePlatformWarning,
@@ -24,7 +24,10 @@
 ALPN_PROTOCOLS = ["http/1.1"]
 
 # Maps the length of a digest to a possible hash function producing this digest
-HASHFUNC_MAP = {32: md5, 40: sha1, 64: sha256}
+HASHFUNC_MAP = {
+    length: getattr(hashlib, algorithm, None)
+    for length, algorithm in ((32, "md5"), (40, "sha1"), (64, "sha256"))
+}
 
 
 def _const_compare_digest_backport(a, b):
@@ -191,9 +194,15 @@ def assert_fingerprint(cert, fingerprint):
 
     fingerprint = fingerprint.replace(":", "").lower()
     digest_length = len(fingerprint)
-    hashfunc = HASHFUNC_MAP.get(digest_length)
-    if not hashfunc:
+    if digest_length not in HASHFUNC_MAP:
         raise SSLError("Fingerprint of invalid length: {0}".format(fingerprint))
+    hashfunc = HASHFUNC_MAP.get(digest_length)
+    if hashfunc is None:
+        raise SSLError(
+            "Hash function implementation unavailable for fingerprint length: {0}".format(
+                digest_length
+            )
+        )
 
     # We need encode() here for py32; works on py2 and p33.
     fingerprint_bytes = unhexlify(fingerprint.encode())