fix: respect UIPATH_DISABLE_SSL_VERIFY in boto3 bedrock client#712
Open
smflorentino wants to merge 2 commits intomainfrom
Open
fix: respect UIPATH_DISABLE_SSL_VERIFY in boto3 bedrock client#712smflorentino wants to merge 2 commits intomainfrom
smflorentino wants to merge 2 commits intomainfrom
Conversation
The boto3/urllib3 HTTP path used for Anthropic models did not check UIPATH_DISABLE_SSL_VERIFY, causing SSL failures in environments with self-signed certificates (e.g. HDENS) even when the env var was set. The httpx path (GPT models) already respected it. Pass verify=False to boto3 session.client() when the env var is set, using the new is_ssl_verification_disabled() from uipath-platform. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Requires is_ssl_verification_disabled() added in uipath-platform 0.1.1. Also updates range upper bound from <0.1.0 to <0.2.0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
smflorentino
force-pushed
the
fix/bedrock-ssl-verify-parity
branch
from
244ea33 to
29b13eb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GPT/OpenAI models and Anthropic/Bedrock models use different HTTP client stacks to talk to the LLM Gateway, even though both hit the same AgentHub endpoint:
UiPathChatOpenAIuseshttpx, which goes throughcreate_ssl_context()in_http_config.py. This respectsUIPATH_DISABLE_SSL_VERIFYandtruststore(OS system certs).UiPathChatBedrockConverseusesboto3/urllib3, which creates its own SSL context internally. It never callscreate_ssl_context()and does not checkUIPATH_DISABLE_SSL_VERIFY.In environments with self-signed certificates in the TLS chain, the httpx path works (it trusts the cert via
truststoreor the disable flag), but the boto3 path fails withSSL: CERTIFICATE_VERIFY_FAILED.Changes
is_ssl_verification_disabled()fromuipath-platform(new in 0.1.1)_get_verify()toAwsBedrockCompletionsPassthroughClientverify=to bothsession.client()calls (get_client()andget_bedrock_client())Companion PR
is_ssl_verification_disabledfrom uipath-platform 0.1.1)Test plan
TestSslVerification(5 tests) covering default verify=True and disabled verify=False for both clientsUIPATH_DISABLE_SSL_VERIFY=trueuv sync --lockeduntiluipath-platform 0.1.1is published. After merge of companion PR, runuv cache clean uipath-platform && uv lock --refreshand push the updateduv.lock.