Skip to content

refactor(ssl): support per-service SSL verification overrides #19375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Harshit28j wants to merge 2 commits into
base: main
Choose a base branch
from
Open

refactor(ssl): support per-service SSL verification overrides #19375

Harshit28j wants to merge 2 commits into from
+394 −118

Conversation

@Harshit28j
Copy link
Contributor

@Harshit28j Harshit28j commented Jan 19, 2026

Relevant issues

Addresses issue where a global litellm.ssl_verify setting (e.g., for AIM Guardrail) would incorrectly apply to Bedrock calls, causing SSLCertVerificationError. This PR enables per-service SSL configuration overrides.

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

  • I have Added testing in the tests/litellm/ directory: Added tests/test_litellm/test_ssl_verify_unit.py covering priority logic for Bedrock, AIM, and HTTP clients.
  • My PR passes all unit tests on make test-unit
  • My PR's scope is as isolated as possible, it only solves 1 specific problem

Type

🐛 Bug Fix
🧹 Refactoring
📖 Documentation
✅ Test

Changes

Problem:

image

Solution:

image
  • Centralized SSL Utility: Introduced get_ssl_verify() in http_handler.py to unify SSL resolution across the codebase.
  • Priority Logic: Implemented a robust priority chain: Passed Parameter > ENV: SSL_VERIFY > litellm.ssl_verify > ENV: SSL_CERT_FILE.
  • AIM Guardrail Support: Added ssl_verify support to AimGuardrail initialization, allowing users to specify a per-guardrail certificate.
  • Bedrock Enhancements:
    • Updated BaseAWSLLM and common_utils.py to use the unified SSL resolution.
    • Ensured boto3 clients for Bedrock and sts (AssumeRole) correctly propagate the resolved SSL setting.
    • Updated credential caching to include ssl_verify in the cache key to prevent cross-account/cross-cert contamination.
  • Documentation:
    • New section in security_settings.md for "Per-Service SSL Verification".
    • Updated aim_security.md with configuration examples.

Test Cases Added

Identified in tests/test_litellm/test_ssl_verify_unit.py:

  1. test_base_aws_llm_get_ssl_verify_priority: Verifies that passed params override global settings in Bedrock.
  2. test_aim_guardrail_ssl_verify_propagation: Confirms AIM guardrail passes the custom path to the HTTP client.
  3. test_http_handler_get_ssl_verify_logic: Validates the core logic for bools, strings, and env variable fallbacks.
  4. test_bedrock_llm_init_passes_ssl_verify: Ensures the Bedrock LLM class correctly passes the setting to the AWS handlers.

@vercel
Copy link

vercel bot commented Jan 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
litellm Error Error Jan 19, 2026 8:51pm

Request Review

@Harshit28j
Copy link
Contributor Author

Harshit28j commented Jan 19, 2026

i configured the test environment to use a dummy service certificate (with certifi fallback), injected mock AIM and AWS credentials, and ran the SSL guardrail test locally. The test passed, confirming the SSL override logic works correctly.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Harshit28j