What’s new in the next version of Tornado

In Progress

Backwards-compatibility notes

  • SSLIOStream.connect and IOStream.start_tls now validate certificates by default.
  • Certificate validation will now use the system CA root certificates instead of certifi when possible (i.e. Python 2.7.9+ or 3.4+). This includes IOStream and simple_httpclient, but not curl_httpclient.
  • The default SSL configuration has become stricter, using ssl.create_default_context where available.
  • The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin, and FriendFeedMixin have been removed.


  • Improved compatibility with Windows.


  • On Python 3, catching an exception in a coroutine no longer leads to leaks via Exception.__context__.


  • The raise_error argument now works correctly with the synchronous HTTPClient.


  • PeriodicCallback is now more efficient when the clock jumps forward by a large amount.


  • SSLIOStream.connect and IOStream.start_tls now validate certificates by default.
  • New method SSLIOStream.wait_for_handshake allows server-side applications to wait for the handshake to complete in order to verify client certificates or use NPN/ALPN.
  • The Future returned by SSLIOStream.connect now resolves after the handshake is complete instead of as soon as the TCP connection is established.
  • Reduced logging of SSL errors.
  • BaseIOStream.read_until_close now works correctly when a streaming_callback is given but callback is None (i.e. when it returns a Future)



  • New module contains locking and synchronization functionality imported from Toro.




  • Improved performance on Python 3 by reusing a single ssl.SSLContext.


  • New module contains queues imported from Toro.




  • Passing secure=False or httponly=False to RequestHandler.set_cookie now works as expected (previously only the presence of the argument was considered and its value was ignored).
  • Parsing of the If-None-Match header now follows the RFC and supports weak validators.
  • RequestHandler.get_arguments now requires that its strip argument be of type bool. This helps prevent errors caused by the slightly dissimilar interfaces between the singular and plural methods.
  • Errors raised in _handle_request_exception are now logged more reliably.
  • RequestHandler.redirect now works correctly when called from a handler whose path begins with two slashes.
  • Passing messages containing % characters to tornado.web.HTTPError no longer causes broken error messages.


  • The on_close method will no longer be called more than once.