Problems using a HTTPS proxy with Python requests

I have problems using a NordVPN HTTPS proxy correctly with the requests package. This is what I tried (not documented by NordVPN but their proxy runs on port 89):

requests.get('https://heise.de', proxies={'https': 'https://<username>:<password>@ch250.nordvpn.com:89'})

This give me:

requests.exceptions.ProxyError: HTTPSConnectionPool(host='heise.de', port=443): Max retries exceeded with url: / (Caused by ProxyError('Cannot connect to proxy.', ConnectionResetError(10054, 'Eine vorhandene Verbindung wurde vom Remotehost geschlossen', None, 10054, None)))

I first thought the proxy was bad but it works fine when configured in Chrome (using 'Proxy Helper' extension).

Also openssl tells me the proxy expects TLS 1.2:

vbs@ubuntu:~$ openssl s_client ch250.nordvpn.com:89
CONNECTED(00000005)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 CN = *.nordvpn.com
verify return:1
---
Certificate chain
 0 s:CN = *.nordvpn.com
   i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
 1 s:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGOTCCBSGgAwIBAgIMG1tlhMqlCnF3i4coMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIwMDgxMjE0NDEyOVoXDTIyMTAw
NDEwNDkzOVowGDEWMBQGA1UEAwwNKi5ub3JkdnBuLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALsDM7vqkDEKkiGkugPKvb44HjuL5epl5M3GNrl4
IYKBMvjNkoWNprl40eC8OAioSUTuZTSdhieddXGWXFT1Epi7sKUS7TCGJU+NIxmH
zlnZBHMt+JLxgCp2k2Z06rqWd6coWWhjzHgSCBf8JnQplwDCwH3dd9WQkbhNHlpk
GmAaQ9qxZoULEKEL0xmGkMz34EEe0N6VHH4hwK9Qo14FzyoTIzNKJMEJ/4wwXuJF
G0bQxIP3MaPASj4rlE55N8D+wL/Ej+M+DWxuJQ0bza+peakMWo8jXrBeEkYQhurE
Wlq0e0p8fDjvl4J/sCHMijrK3xUvrgPM7W22NJASOVSgg6ECAwEAAaOCA00wggNJ
MA4GA1UdDwEB/wQEAwIFoDCBiQYIKwYBBQUHAQEEfTB7MEIGCCsGAQUFBzAChjZo
dHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxwaGFzaGEyZzJy
MS5jcnQwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9n
c2FscGhhc2hhMmcyMFcGA1UdIARQME4wQgYKKwYBBAGgMgEKCjA0MDIGCCsGAQUF
BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn
gQwBAgEwCQYDVR0TBAIwADA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsMi5h
bHBoYXNzbC5jb20vZ3MvZ3NhbHBoYXNoYTJnMi5jcmwwJQYDVR0RBB4wHIINKi5u
b3JkdnBuLmNvbYILbm9yZHZwbi5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMB8GA1UdIwQYMBaAFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MB0GA1UdDgQW
BBThGmeiemwr2BeVz6tJhqJjIQkGrjCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFp
AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFz4x5+EgAABAMA
RzBFAiEAgOiO8roXsCipNQThMkk2q0npYxQGUJI9U1bbnNb6O8ECIEYXMVlMEayO
vV/lGmuNI70pyBxwltuwsL99XxwapTvHAHYAKXm+8J45OSHwVnOfY6V35b5XfZxg
Cvj5TV0mXCVdx4QAAAFz4x59/wAABAMARzBFAiEAyrHBfukMI2gZEA/yuAZcpAmj
Fb0IRplKrWvMfs71U1gCIBKszIm5IB9A3+FBADLjygBAuhHoO449gMw5ZCKhJ9lq
AHcAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUAAAFz4x5+KwAABAMA
SDBGAiEA2OL3wk8/Br21Qft6MuZ91Dgq5X/vY6CsuJ1FdrSGvUICIQCeFPVVTeZq
RNwpPZs1VJPAsqnOHabmvbIot6trM9ZwLDANBgkqhkiG9w0BAQsFAAOCAQEAxm60
4NYjJjt1Hlgz1O3Bgr+7936Ye1t9SnfsXgQafRZbDSNW1oYB2t4X8w1LLv1V1lKX
+MjmMSBwjKwfhU6gemmjM0XXj1AT129EVZQpgTFtMyEebAdRascR/qDD1QQrFCCF
XIiaMiGNWUcQ2r7aaHlkcfQiQeGHgVwaVOr4Zueyagq7FM5ss52Es4Dj3BQjxQne
K3FR0QL41QHaKAH+cWWCCxST/pc6tPbGUt+wjtrljkTxLHwVS3JcFQmtYNXz41Ay
JXFPjTItg+t3VjjJC5/MjW42p96qZfg7AEKFBdx4yy4PNoO+zHjKc1GfODiiNpaE
lLNl8xc1ULd0Zb0ukA==
-----END CERTIFICATE-----
subject=CN = *.nordvpn.com

issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3379 bytes and written 445 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 0ADAEB74786F05AAF48AC9B751719AC3B245C5D6CEDC44E7CB9C1AE237B29515
    Session-ID-ctx: 
    Master-Key: 7F1F329029EBCB5B269993FB84D575EA1ACACAB6087A2AB4B91AA3144A636B0D3E00E9D110D1D256D174B230E6678D32
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 11 37 3e d1 06 e2 00 bb-a3 0b 6d 8e a7 34 43 99   .7>.......m..4C.
    0010 - d1 40 93 fb 8d 03 bb 1d-31 b4 87 75 42 1a cb e1   [email protected]...
    0020 - af 52 a3 9d fb 7a a0 d7-83 2f 54 7d c1 5b 18 35   .R...z.../T}.[.5
    0030 - 75 6e 09 65 e3 00 e4 bd-8b a8 89 c3 10 b7 5c 5d   un.e..........\]
    0040 - 1d 9a 07 f8 c9 b1 68 52-61 fc 38 54 3b 41 91 3e   ......hRa.8T;A.>
    0050 - b9 c2 fd 37 7b 64 f0 2c-d9 74 23 79 2f dd c8 75   ...7{d.,.t#y/..u
    0060 - 68 74 a9 42 34 55 32 ad-5f 7d 97 aa 2e 51 8c cd   ht.B4U2._}...Q..
    0070 - 7f 73 eb 4b 40 7c 3b 59-a8 07 cc 73 d6 ba 9e b8   .s.K@|;Y...s....
    0080 - 22 6d 8d 64 83 34 ff 71-cb 8f b4 1b 3b 1a d1 f0   "m.d.4.q....;...
    0090 - ef aa 6c 63 7b 70 d7 07-cf 5a ef 97 dd f8 11 31   ..lc{p...Z.....1
    00a0 - 9b a1 c7 76 61 af 36 c7-42 76 86 7d 8a 86 9e 93   ...va.6.Bv.}....

    Start Time: 1598002070
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

Its about requests 2.22.0.

Am I doing something wrong? Is this not supported somehow? Thanks!