clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-13 15:52:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d1bc9b4e6230f03ca2b38c769f2155cdfd161ff7
codex/codex-rs/codex-client
History
jgershen-oai 9e905528bb Fix custom CA login behind TLS-inspecting proxies (#20676) 
Refs:
https://linear.app/openai/issue/SE-6311/login-fails-for-experian-users-behind-tls-inspecting-proxy

## Summary
- When a custom CA bundle is configured, force the shared `codex-client`
reqwest builder onto rustls before registering custom roots.
- Add the `rustls-tls-native-roots` reqwest feature so the rustls client
preserves native roots plus the enterprise CA bundle.
- Add subprocess TLS coverage for both a direct local TLS 1.3 server and
a hermetic local CONNECT TLS-intercepting proxy that forwards a
token-exchange-shaped POST to a local origin.

## Plain-language explanation
Experian users are behind a TLS-inspecting proxy, so the login token
exchange needs to trust the enterprise CA bundle from
`CODEX_CA_CERTIFICATE` or `SSL_CERT_FILE`. Before this change, that
custom-CA branch still used reqwest default TLS selection, which could
fail in the proxy environment. Now, only when a custom CA is configured,
Codex selects rustls first and then adds the custom CA roots, matching
the validated behavior from the Experian test build while leaving normal
system-root clients unchanged.

The new regression test recreates the enterprise-proxy shape locally:
the probe client sends an HTTPS `POST /oauth/token` through an explicit
HTTP CONNECT proxy, the proxy presents a leaf certificate signed by a
runtime-generated test CA, decrypts the request, forwards it to a local
origin, and relays the `ok` response back.

## Scope note
- The actual production fix is the first commit: `8368119282 Fix custom
CA reqwest clients to use rustls`.
- The second commit is integration-test coverage only. It generates all
test CA and localhost certificate material at runtime.

## Validation
- `cd codex-rs && cargo test -p codex-client --test ca_env
posts_to_token_origin_through_tls_intercepting_proxy_with_custom_ca_bundle
-- --nocapture`
- `cd codex-rs && cargo test -p codex-client`
- `cd codex-rs && cargo test -p codex-login`
- `cd codex-rs && just fmt`
- `cd codex-rs && just bazel-lock-update`
- `cd codex-rs && just bazel-lock-check`
- `cd codex-rs && just fix -p codex-client`
2026-05-01 17:51:49 -07:00
..
src
Fix custom CA login behind TLS-inspecting proxies (#20676)
2026-05-01 17:51:49 -07:00
tests
Fix custom CA login behind TLS-inspecting proxies (#20676)
2026-05-01 17:51:49 -07:00
BUILD.bazel
client: extend custom CA handling across HTTPS and websocket clients (#14239)
2026-03-13 00:59:26 +00:00
Cargo.toml
Fix custom CA login behind TLS-inspecting proxies (#20676)
2026-05-01 17:51:49 -07:00
README.md
chore: proper client extraction (#6996)
2025-11-25 18:06:12 +00:00

README.md

codex-client

Generic transport layer that wraps HTTP requests, retries, and streaming primitives without any Codex/OpenAI awareness.

  • Defines HttpTransport and a default ReqwestTransport plus thin Request/Response types.
  • Provides retry utilities (RetryPolicy, RetryOn, run_with_retry, backoff) that callers plug into for unary and streaming calls.
  • Supplies the sse_stream helper to turn byte streams into raw SSE data: frames with idle timeouts and surfaced stream errors.
  • Consumed by higher-level crates like codex-api; it stays neutral on endpoints, headers, or API-specific error shapes.
Reference in New Issue View Git Blame Copy Permalink