openai · 3axap4eHko · Nov 18, 2025 · Nov 19, 2025 · Nov 20, 2025 · Dec 12, 2025
diff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock
diff --git a/codex-rs/Cargo.toml b/codex-rs/Cargo.toml
@@ -181,6 +181,7 @@ regex = "1.12.2"
 regex-lite = "0.1.7"
 reqwest = "0.12"
 rmcp = { version = "0.12.0", default-features = false }
+rustls-pki-types = "1.13.0"
 schemars = "0.8.22"
 seccompiler = "0.5.0"
 sentry = "0.46.0"

diff --git a/codex-rs/login/Cargo.toml b/codex-rs/login/Cargo.toml
@@ -14,6 +14,7 @@ codex-core = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 rand = { workspace = true }
 reqwest = { workspace = true, features = ["json", "blocking"] }
+rustls-pki-types = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 sha2 = { workspace = true }
@@ -32,6 +33,8 @@ webbrowser = { workspace = true }
 
 [dev-dependencies]
 anyhow = { workspace = true }
+assert_cmd = { workspace = true }
 core_test_support = { workspace = true }
+pretty_assertions = { workspace = true }
 tempfile = { workspace = true }
 wiremock = { workspace = true }
diff --git a/codex-rs/login/src/bin/login_ca_probe.rs b/codex-rs/login/src/bin/login_ca_probe.rs
@@ -0,0 +1,23 @@
+//! Helper binary for exercising custom CA environment handling in tests.
+//!
+//! The login flows honor `CODEX_CA_CERTIFICATE` and `SSL_CERT_FILE`, but those
+//! environment variables are process-global and unsafe to mutate in parallel
+//! test execution. This probe keeps the behavior under test while letting
+//! integration tests (`tests/ca_env.rs`) set env vars per-process, proving:
+//! - env precedence is respected,
+//! - multi-cert PEM bundles load,
+//! - error messages guide users when CA files are invalid.
+
+use std::process;
+
+fn main() {
+    match codex_login::build_login_http_client() {
+        Ok(_) => {
+            println!("ok");
+        }
+        Err(error) => {
+            eprintln!("{error}");
+            process::exit(1);
+        }
+    }
+}
diff --git a/codex-rs/login/src/device_code_auth.rs b/codex-rs/login/src/device_code_auth.rs
@@ -8,6 +8,7 @@ use std::time::Instant;
 
 use crate::pkce::PkceCodes;
 use crate::server::ServerOptions;
+use crate::server::build_login_http_client;
 use std::io;
 
 const ANSI_BLUE: &str = "\x1b[94m";
@@ -151,7 +152,7 @@ fn print_device_code_prompt(code: &str) {
 
 /// Full device code login flow.
 pub async fn run_device_code_login(opts: ServerOptions) -> std::io::Result<()> {
-    let client = reqwest::Client::new();
+    let client = build_login_http_client()?;
     let base_url = opts.issuer.trim_end_matches('/');
     let api_base_url = format!("{}/api/accounts", opts.issuer.trim_end_matches('/'));
     let uc = request_user_code(&client, &api_base_url, &opts.client_id).await?;

diff --git a/codex-rs/login/src/lib.rs b/codex-rs/login/src/lib.rs
@@ -6,6 +6,7 @@ pub use device_code_auth::run_device_code_login;
 pub use server::LoginServer;
 pub use server::ServerOptions;
 pub use server::ShutdownHandle;
+pub use server::build_login_http_client;
 pub use server::run_login_server;
 
 // Re-export commonly used auth types and helpers from codex-core for compatibility