bt CLI fails on corporate networks with TLS inspection (Zscaler, Netskope, etc.) #84
Description
Problem
The bt CLI (v0.3.0) fails with error: network error: error sending request for url (https://www.braintrust.dev/api/apikey/login) on corporate networks that use TLS-inspecting proxies (e.g., Zscaler, Netskope, Palo Alto). These proxies intercept HTTPS traffic and re-sign it with a corporate CA certificate that's installed in the OS trust store.
Root cause
bt uses reqwest with the rustls-tls feature, which bundles Mozilla's webpki-roots as the only trusted CAs. This means bt ignores the system certificate store entirely. Corporate proxy CAs (like Zscaler's) are trusted by the OS but not by webpki-roots, so the TLS handshake fails.
From Cargo.toml:
reqwest = { version = "0.12.7", default-features = false, features = ["json", "rustls-tls"] }
oauth2 = { version = "4.4", default-features = false, features = ["reqwest", "rustls-tls"] }Verification
curlto the same endpoint succeeds (it reads the system CA bundle viaSSL_CERT_FILE)openssl s_clientconfirms the Zscaler intermediate CA is signingwww.braintrust.dev- The Zscaler root CA is installed in the macOS system keychain
- Setting
SSL_CERT_FILE,REQUESTS_CA_BUNDLE, orREQWEST_CA_BUNDLEhas no effect sincerustlswithwebpki-rootsdoesn't read env vars
Suggested fix
Change rustls-tls to rustls-tls-native-roots in both dependency lines. This swaps webpki-roots for rustls-native-certs, which reads the OS certificate store (macOS Keychain, Windows cert store, or OpenSSL dirs on Linux):
reqwest = { version = "0.12.7", default-features = false, features = ["json", "rustls-tls-native-roots"] }
oauth2 = { version = "4.4", default-features = false, features = ["reqwest", "rustls-tls"] } # check if oauth2 supports native-roots tooThis is a common issue for Rust CLIs on corporate networks — many projects (e.g., cargo itself) have made this same change.
Environment
- macOS (arm64)
- Zscaler TLS inspection
btv0.3.0