Files
malsamiri-oai d5a8117e08 Use aws-lc-rs for rustls crypto provider (#27706)
## Why

Some enterprise TLS proxies issue certificate chains signed with
`ecdsa_secp521r1_sha512` / `ECDSA_NISTP521_SHA512`. Custom CA
configuration such as `SSL_CERT_FILE` can add the right trust root, but
it cannot make `rustls`'s `ring` verifier support a certificate
signature algorithm it does not advertise.

That can still break TLS after the CA bundle is configured, including on
Rust websocket paths that call the shared
`ensure_rustls_crypto_provider()` helper, such as the Responses
websocket connector and remote app-server client:

-
[`codex-api/src/endpoint/responses_websocket.rs`](https://github.com/openai/codex/blob/eddc5c75ed527a8348bfcaa85692e53189600833/codex-rs/codex-api/src/endpoint/responses_websocket.rs#L441)
-
[`app-server-client/src/remote.rs`](https://github.com/openai/codex/blob/eddc5c75ed527a8348bfcaa85692e53189600833/codex-rs/app-server-client/src/remote.rs#L718)

The `aws-lc-rs` `rustls` provider supports this P-521/SHA-512
certificate signature scheme, so use it as Codex's process-wide `rustls`
provider.

## What Changed

- Switch the workspace `rustls` feature from `ring` to `aws_lc_rs`.
- Update `codex-utils-rustls-provider` to install
`rustls::crypto::aws_lc_rs::default_provider()`.
- Add an assertion and integration test that the installed provider
supports `ECDSA_NISTP521_SHA512`.

## Verification

```shell
just fmt
just test -p codex-utils-rustls-provider
just bazel-lock-update
just bazel-lock-check
```
2026-06-15 11:32:13 -07:00

27 lines
867 B
Rust

use codex_utils_rustls_provider::ensure_rustls_crypto_provider;
const EMPTY_ALGORITHMS: rustls::crypto::WebPkiSupportedAlgorithms =
rustls::crypto::WebPkiSupportedAlgorithms {
all: &[],
mapping: &[],
};
#[test]
fn ensure_provider_preserves_preinstalled_provider() {
let mut provider = rustls::crypto::aws_lc_rs::default_provider();
provider.signature_verification_algorithms = EMPTY_ALGORITHMS;
assert!(provider.install_default().is_ok());
ensure_rustls_crypto_provider();
let Some(provider) = rustls::crypto::CryptoProvider::get_default() else {
panic!("preinstalled rustls provider should still be installed");
};
assert!(
!provider
.signature_verification_algorithms
.supported_schemes()
.contains(&rustls::SignatureScheme::ECDSA_NISTP521_SHA512)
);
}