From 3606bbf7c26f657452a7d5b9a6b28d40067f6598 Mon Sep 17 00:00:00 2001
From: "chris.smith" <chris.smith@zocdoc.com>
Date: Fri, 15 May 2026 12:44:34 -0400
Subject: [PATCH 1/2] fix(ssl): Pass CA bundle env vars to curl on macOS

On macOS, sentry-cli links system libcurl which uses SecureTransport as
its TLS backend. SecureTransport ignores SSL_CERT_FILE, so custom CA
bundles (e.g. corporate MITM proxies) don't work even though
openssl_probe sets the env var. This reads SSL_CERT_FILE (or
CURL_CA_BUNDLE) back and passes it via CURLOPT_CAINFO, which
SecureTransport does honor.

Generated with AI

Co-Authored-By: Claude Code
---
 src/api/mod.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/api/mod.rs b/src/api/mod.rs
index b53e034953..8753c5c6bb 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -242,6 +242,12 @@ impl Api {
         handle.ssl_verify_host(self.config.should_verify_ssl())?;
         handle.ssl_verify_peer(self.config.should_verify_ssl())?;
 
+        if let Ok(ca_bundle) = std::env::var("SSL_CERT_FILE") {
+            handle.cainfo(&ca_bundle)?;
+        } else if let Ok(ca_bundle) = std::env::var("CURL_CA_BUNDLE") {
+            handle.cainfo(&ca_bundle)?;
+        }
+
         let env = self.config.get_pipeline_env();
         let headers = self.config.get_headers();
 

From e0844e3c0865307f6212ec04e97219e4593f14e6 Mon Sep 17 00:00:00 2001
From: "chris.smith" <chris.smith@zocdoc.com>
Date: Fri, 15 May 2026 13:36:10 -0400
Subject: [PATCH 2/2] fix(ssl): Check CURL_CA_BUNDLE before SSL_CERT_FILE

Match curl's native env var precedence. openssl_probe auto-populates
SSL_CERT_FILE with the system default, so checking it first would
shadow a user-specified CURL_CA_BUNDLE.

Generated with AI

Co-Authored-By: Claude Code
---
 src/api/mod.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/api/mod.rs b/src/api/mod.rs
index 8753c5c6bb..3ab92bafe9 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -242,9 +242,9 @@ impl Api {
         handle.ssl_verify_host(self.config.should_verify_ssl())?;
         handle.ssl_verify_peer(self.config.should_verify_ssl())?;
 
-        if let Ok(ca_bundle) = std::env::var("SSL_CERT_FILE") {
+        if let Ok(ca_bundle) = std::env::var("CURL_CA_BUNDLE") {
             handle.cainfo(&ca_bundle)?;
-        } else if let Ok(ca_bundle) = std::env::var("CURL_CA_BUNDLE") {
+        } else if let Ok(ca_bundle) = std::env::var("SSL_CERT_FILE") {
             handle.cainfo(&ca_bundle)?;
         }