Skip to content

Honor startup custom CA bundles with managed MITM#29014

Merged
winston-openai merged 2 commits into
mainfrom
dev/winston/mitm-startup-custom-ca
Jun 22, 2026
Merged

Honor startup custom CA bundles with managed MITM#29014
winston-openai merged 2 commits into
mainfrom
dev/winston/mitm-startup-custom-ca

Conversation

@winston-openai

@winston-openai winston-openai commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Why

When Codex starts with a custom CA override such as SSL_CERT_FILE=/path/to/corp-ca.pem codex, rustls-native-certs treats that override as a replacement for the platform trust store. The managed proxy then rewrites child CA variables to its generated bundle, so the custom root or the ordinary platform roots can be lost. The proxy's upstream TLS connector must trust the same roots or private and corporate upstream certificates still fail after interception.

What

  • load platform-native roots without consulting inherited CA override variables
  • append certificates from the existing curated startup CA file variables and SSL_CERT_DIR
  • share those platform and startup roots with the MITM upstream rustls connector
  • exclude the Codex managed MITM CA from upstream trust
  • normalize OpenSSL TRUSTED CERTIFICATE blocks while dropping trailing trust metadata
  • skip an inherited current Codex-managed bundle so nested launches do not duplicate it
  • append the Codex managed MITM CA to the child-facing bundle
  • copy certificate material only, so a private key or unrelated text colocated in a startup file is never exposed through the public bundle

This is intentionally limited to CA paths present when Codex starts. It does not parse inline shell assignments or add per-command bundle materialization.

This changes only codex-network-proxy and dependency metadata; it does not touch codex-core or sandbox orchestration.

Validation

  • just test -p codex-network-proxy
    • includes an end-to-end upstream TLS test using a server trusted only by the startup custom CA
  • just fix -p codex-network-proxy
  • just bazel-lock-check

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f5294d02bb

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread codex-rs/network-proxy/src/certs.rs Outdated
Comment thread codex-rs/network-proxy/src/certs.rs Outdated
Comment thread codex-rs/network-proxy/src/certs.rs Outdated
winston-openai added a commit that referenced this pull request Jun 19, 2026

@viyatb-oai viyatb-oai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question about completing the custom-CA path.

Comment thread codex-rs/network-proxy/src/certs.rs
@winston-openai winston-openai force-pushed the dev/winston/mitm-startup-custom-ca branch from 7d6e893 to 0b16e22 Compare June 19, 2026 05:55
@winston-openai winston-openai requested a review from a team as a code owner June 19, 2026 05:55
@winston-openai winston-openai changed the base branch from dev/winston/mitm-ca-key-isolation to main June 19, 2026 05:55
@winston-openai winston-openai merged commit 527ccb4 into main Jun 22, 2026
31 checks passed
@winston-openai winston-openai deleted the dev/winston/mitm-startup-custom-ca branch June 22, 2026 21:16
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 22, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants