At my workplace I have to use corporate Internet proxy server with AD/domain/ntlm authorization. I use local cntlm proxy server to authorize myself on corporate proxy. Programs are send requests to cntlm proxy without any authorization information. Cntlm proxy communicate with corporate proxy and handle all authorization stuff and return response to programs. 

But programs which use httplib, like pip, and want to open https url can't work in my network scheme. Because to open https connection httplib send to cntlm proxy 

"CONNECT encrypted.google.com:443 HTTP/1.0\r\n"

HTTP/1.0 does not assume persistent connection so corporate proxy return http response 407 (need authorization) and close connection. Cntlm proxy detect closed connection and return http response 407 to pip/httplib which can't handle this response or begin ntlm negotiation, throw exception 

ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 407 Proxy Authentication Required',))  

and close.

So I suggest change HTTP CONNECT method to 

"CONNECT %s:%d HTTP/1.1\r\n"

This change allow cntlm proxy keep alive connection to corporate proxy do all authorization stuff and return proper response. 

And also in header of httplib is stated what it is "HTTP/1.1 client library"