diff --git a/dev-python/urllib3/Manifest b/dev-python/urllib3/Manifest
new file mode 100644
index 00000000..3ca389bf
--- /dev/null
+++ b/dev-python/urllib3/Manifest
@@ -0,0 +1 @@
+DIST urllib3-1.25.8.tar.gz 261077 BLAKE2B 9625c8bce484e3a0ae8b49a776377d5420a496652d75220438f8f9cfbfa96c22a6fbea29380f45f18d8620d14568056dcb3e8b6a08fe711085298d2f6b2ea870 SHA512 6e380d98d9a8b06534abfab4eb67b685a8311a091e31adcefe2b0ffc61d2b728229df067790b20358f2646e9054a546450c3351e4aa618f31d85573ea50ceaa2
diff --git a/dev-python/urllib3/files/urllib3-1.26.4-test-ssltransport.patch b/dev-python/urllib3/files/urllib3-1.26.4-test-ssltransport.patch
new file mode 100644
index 00000000..346574fe
--- /dev/null
+++ b/dev-python/urllib3/files/urllib3-1.26.4-test-ssltransport.patch
@@ -0,0 +1,31 @@
+diff --git a/test/test_ssltransport.py b/test/test_ssltransport.py
+index 72b06b006..98682bd43 100644
+--- a/test/test_ssltransport.py
++++ b/test/test_ssltransport.py
+@@ -246,6 +246,7 @@ def proxy_handler(listener):
+                 )
+                 self._read_write_loop(client_sock, upstream_sock)
+                 upstream_sock.close()
++                client_sock.close()
+ 
+         self._start_server(proxy_handler)
+ 
+@@ -274,6 +275,10 @@ def _read_write_loop(self, client_sock, server_sock, chunks=65536):
+                 if write_socket in writable:
+                     try:
+                         b = read_socket.recv(chunks)
++                        if len(b) == 0:
++                            # One of the sockets has EOFed, we return to close
++                            # both.
++                            return
+                         write_socket.send(b)
+                     except ssl.SSLEOFError:
+                         # It's possible, depending on shutdown order, that we'll
+@@ -322,6 +327,7 @@ def socket_handler(listener):
+                 request = consume_socket(ssock)
+                 validate_request(request)
+                 ssock.send(sample_response())
++            sock.close()
+ 
+         cls._start_server(socket_handler)
+ 
diff --git a/dev-python/urllib3/metadata.xml b/dev-python/urllib3/metadata.xml
new file mode 100644
index 00000000..7e9d137e
--- /dev/null
+++ b/dev-python/urllib3/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>python@gentoo.org</email>
+		<name>Python</name>
+	</maintainer>
+	<stabilize-allarches/>
+	<use>
+		<flag name="brotli">Enable support for brotli compression</flag>
+	</use>
+	<upstream>
+		<remote-id type="pypi">urllib3</remote-id>
+		<remote-id type="cpe">cpe:/a:urllib3:urllib3</remote-id>
+		<remote-id type="github">urllib3/urllib3</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/dev-python/urllib3/urllib3-1.25.8.ebuild b/dev-python/urllib3/urllib3-1.25.8.ebuild
new file mode 100644
index 00000000..0b09d4ad
--- /dev/null
+++ b/dev-python/urllib3/urllib3-1.25.8.ebuild
@@ -0,0 +1,97 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6..10} pypy3 )
+PYTHON_REQ_USE="ssl(+)"
+
+inherit distutils-r1
+
+DESCRIPTION="HTTP library with thread-safe connection pooling, file post, and more"
+HOMEPAGE="https://github.com/urllib3/urllib3"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="brotli test"
+RESTRICT="!test? ( test )"
+
+# dev-python/{pyopenssl,cryptography,idna,certifi} are optional runtime
+# dependencies. Do not add them to RDEPEND. They should be unnecessary with
+# modern versions of python (>= 3.2).
+RDEPEND="
+	>=dev-python/PySocks-1.5.8[${PYTHON_USEDEP}]
+	<dev-python/PySocks-2.0[${PYTHON_USEDEP}]
+	brotli? ( dev-python/brotlicffi[${PYTHON_USEDEP}] )
+"
+BDEPEND="
+	test? (
+		$(python_gen_cond_dep "
+			${RDEPEND}
+			dev-python/brotlicffi[\${PYTHON_USEDEP}]
+			dev-python/mock[\${PYTHON_USEDEP}]
+			dev-python/pytest[\${PYTHON_USEDEP}]
+			dev-python/pytest-freezegun[\${PYTHON_USEDEP}]
+			>=dev-python/trustme-0.5.3[\${PYTHON_USEDEP}]
+			>=www-servers/tornado-4.2.1[\${PYTHON_USEDEP}]
+		" python3_{6,7,8,9})
+	)
+"
+
+PATCHES=(
+	"${FILESDIR}/${P}-test-ssltransport.patch"
+)
+
+python_prepare_all() {
+	# tests failing if 'localhost.' cannot be resolved
+	sed -e 's:test_dotted_fqdn:_&:' \
+		-i test/with_dummyserver/test_https.py || die
+	sed -e 's:test_request_host_header_ignores_fqdn_dot:_&:' \
+		-i test/with_dummyserver/test_socketlevel.py || die
+
+	distutils-r1_python_prepare_all
+}
+
+python_test() {
+	local -x CI=1
+	# FIXME: get tornado ported
+	[[ ${EPYTHON} == python3* ]] || continue
+	# tests skipped for now
+	[[ ${EPYTHON} == python3.10 ]] && continue
+
+	local deselect=(
+		# TODO?
+		test/with_dummyserver/test_socketlevel.py::TestSocketClosing::test_timeout_errors_cause_retries
+	)
+	[[ "${EPYTHON}" == python3.10 ]] && deselect+=(
+		# Fail because they rely on warnings and there are new deprecation warnings in 3.10
+		test/with_dummyserver/test_https.py::TestHTTPS::test_verified
+		test/with_dummyserver/test_https.py::TestHTTPS::test_verified_with_context
+		test/with_dummyserver/test_https.py::TestHTTPS::test_context_combines_with_ca_certs
+		test/with_dummyserver/test_https.py::TestHTTPS::test_ca_dir_verified
+		test/with_dummyserver/test_https.py::TestHTTPS::test_ssl_correct_system_time
+		test/with_dummyserver/test_https.py::TestHTTPS::test_ssl_wrong_system_time
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_verified
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_verified_with_context
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_context_combines_with_ca_certs
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_ca_dir_verified
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_ssl_correct_system_time
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_ssl_wrong_system_time
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_default_tls_version_deprecations
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_no_tls_version_deprecation_with_ssl_version
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_2::test_no_tls_version_deprecation_with_ssl_context
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_verified
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_verified_with_context
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_context_combines_with_ca_certs
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_ca_dir_verified
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_ssl_correct_system_time
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_ssl_wrong_system_time
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_default_tls_version_deprecations
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_no_tls_version_deprecation_with_ssl_version
+		test/with_dummyserver/test_https.py::TestHTTPS_TLSv1_3::test_no_tls_version_deprecation_with_ssl_context
+	)
+
+	epytest ${deselect[@]/#/--deselect }
+}