feat: Support custom CA bundle for corporate SSL inspection#88
Merged
huseyinbabal merged 2 commits intomasterfrom Jan 15, 2026
Merged
feat: Support custom CA bundle for corporate SSL inspection#88huseyinbabal merged 2 commits intomasterfrom
huseyinbabal merged 2 commits intomasterfrom
Conversation
Add support for AWS_CA_BUNDLE and SSL_CERT_FILE environment variables to allow taws to work behind corporate proxies with SSL inspection. Changes: - New src/aws/tls.rs module for TLS configuration utilities - Load and cache CA certificates from AWS_CA_BUNDLE or SSL_CERT_FILE - Support PEM files with multiple certificates (certificate chains) - Apply custom CA to all HTTP clients (AWS API, SSO, STS AssumeRole) - Add connect timeout (10s) and request timeout (30s) to prevent hangs - Log warnings when CA bundle file is missing or invalid The CA bundle is loaded once and cached for the lifetime of the application. If neither environment variable is set, taws uses the default webpki-roots CA bundle. This enables taws to work in corporate environments where: - SSL/TLS inspection proxies intercept HTTPS traffic - Corporate CA certificates are not in the default trust store - AWS CLI works when AWS_CA_BUNDLE is set Closes #66
…undle
- Parse certificates individually from PEM bundle instead of as a single blob
- Use binary search to efficiently filter out invalid certificates
- Skip certificates that rustls cannot validate (e.g., unsupported extensions)
- Keep built-in root certs when adding custom CA certificates
- Add better debug logging with {:?} format for error details
This fixes the 'UnsupportedCriticalExtension' error when using CA bundles
from corporate environments with SSL inspection proxies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for
AWS_CA_BUNDLEandSSL_CERT_FILEenvironment variables to allow taws to work behind corporate proxies with SSL inspection.Closes #66
Problem
In corporate environments with SSL inspection, taws hangs or fails because:
Solution
New TLS Module (
src/aws/tls.rs)AWS_CA_BUNDLEorSSL_CERT_FILETimeouts
Updated Components
src/aws/http.rs- Main AWS API clientsrc/aws/sso.rs- SSO OIDC clientssrc/aws/credentials.rs- STS AssumeRole clientUsage
The PEM file can contain multiple certificates. This is the same environment variable used by AWS CLI, so if AWS CLI works with your CA bundle, taws should work too.
Testing
Notes