[BUG] TLS/SSL fails behind corporate proxies in v3.16.4+ (blocks Bedrock)

[pballou]

Type

Bug

Problem / Value

Users on corporate networks with SSL-inspecting proxies can’t use Roo Code because TLS/SSL checks fail, blocking AWS Bedrock and some OpenAI‑compatible providers. This prevents work in enterprise environments.

Context

• Affects v3.16.4 and newer; failure occurs before any model call.
• Common setup: corporate proxy with custom or self‑signed CA; AWS SSO profile for Bedrock.
• Reports include Windows native failures (works in WSL for some) and TLS protocol alerts when trying VPC endpoints.
• Status: A fix is in progress (PR fix(bedrock): honor VS Code proxy and custom CA to enable TLS behind corporate proxies #7081) to honor VS Code proxy settings and custom certificates.

Reproduction

1. Be on a corporate network that proxies/inspects TLS with a custom certificate.
2. Authenticate to AWS via SSO and select the SSO-backed profile in Roo Code.
3. Use Roo Code v3.16.4+ and configure the AWS Bedrock provider.
4. Try an action that talks to Bedrock (e.g., refresh models or start a chat).

Expected result:

• Roo Code connects successfully without SSL errors.

Actual result:

• Connection fails with TLS/SSL validation errors.

Variations tried

• Using a Bedrock VPC endpoint led to a TLS protocol version alert for one user.
• A self‑signed OpenAI‑compatible endpoint fails on Windows native but works in WSL for another user.

Constraints/Preferences (optional)

• Honor OS/VS Code proxy configuration and enterprise certificate stores.
• Provide a secure, admin‑controlled way to trust a custom CA/self‑signed cert.
• Work on Windows without requiring WSL.
• If needed, allow safe configuration of supported TLS protocol versions.

[dosubot[bot]]

Hi @pballou! I'm Dosu and I’m helping the Roo-Code team.

There’s no documented way to bypass strict SSL validation or trust custom SSL certificates in Roo Code v3.16.4+—and no settings or patches address this directly. However, starting with v3.19, Roo Code supports configuring custom VPC endpoints for AWS Bedrock, which lets you route all API calls through your corporate network and may help resolve SSL issues with corporate proxies. You can enable this by checking “Use VPC Endpoint” in the AWS Bedrock provider settings and entering your VPC endpoint URL. This feature is designed for enterprise environments with strict network security requirements and is described in the official docs and release notes.

If upgrading to v3.19+ and using a VPC endpoint isn’t an option, there’s no documented workaround for the SSL validation error in earlier versions.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[jmonasterio]

Don't know if related, but I get TLS errors when I try to use VPC endpoint.

Error: Unknown Error: The pending stream has been canceled (caused by: 275200:error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION:....\third_party\boringssl\src\ssl\tls_record.cc:489:SSL alert number 70
)

Anyway to force TLS1.2 or TLS1.3 on endpoint?

[jshelman]

my team also needs a solution for self-signed certs as we use a custom openai-compatible provider that has a self-signed certificate and not able to get this to work in windows native. Only for WSL.

[makandre]

How about self-signed certs on remote MCP servers that may or may not be behind a proxy? Is that a separate discussion or is it covered under this?