fix: better thread safety via early initializing SSL store during HTTP client creation

stainless-app[bot] · stainless-app[bot] · commit e7d9a3d70c09 · 2025-11-04T18:00:42.000Z
diff --git a/lib/openai.rb b/lib/openai.rb
@@ -8,6 +8,7 @@
 require "etc"
 require "json"
 require "net/http"
+require "openssl"
 require "pathname"
 require "rbconfig"
 require "securerandom"
diff --git a/lib/openai/internal/transport/pooled_net_requester.rb b/lib/openai/internal/transport/pooled_net_requester.rb
@@ -16,10 +16,11 @@ class PooledNetRequester
         class << self
           # @api private
           #
+          # @param cert_store [OpenSSL::X509::Store]
           # @param url [URI::Generic]
           #
           # @return [Net::HTTP]
-          def connect(url)
+          def connect(cert_store:, url:)
             port =
               case [url.port, url.scheme]
               in [Integer, _]
@@ -33,6 +34,8 @@ def connect(url)
             Net::HTTP.new(url.host, port).tap do
               _1.use_ssl = %w[https wss].include?(url.scheme)
               _1.max_retries = 0
+
+              (_1.cert_store = cert_store) if _1.use_ssl?
             end
           end
 
@@ -102,7 +105,7 @@ def build_request(request, &blk)
           pool =
             @mutex.synchronize do
               @pools[origin] ||= ConnectionPool.new(size: @size) do
-                self.class.connect(url)
+                self.class.connect(cert_store: @cert_store, url: url)
               end
             end
 
@@ -192,6 +195,7 @@ def execute(request)
         def initialize(size: self.class::DEFAULT_MAX_CONNECTIONS)
           @mutex = Mutex.new
           @size = size
+          @cert_store = OpenSSL::X509::Store.new.tap(&:set_default_paths)
           @pools = {}
         end
 
diff --git a/manifest.yaml b/manifest.yaml
@@ -6,6 +6,7 @@ dependencies:
   - etc
   - json
   - net/http
+  - openssl
   - pathname
   - rbconfig
   - securerandom
diff --git a/rbi/openai/internal/transport/pooled_net_requester.rbi b/rbi/openai/internal/transport/pooled_net_requester.rbi
@@ -26,8 +26,12 @@ module OpenAI
 
         class << self
           # @api private
-          sig { params(url: URI::Generic).returns(Net::HTTP) }
-          def connect(url)
+          sig do
+            params(cert_store: OpenSSL::X509::Store, url: URI::Generic).returns(
+              Net::HTTP
+            )
+          end
+          def connect(cert_store:, url:)
           end
 
           # @api private
diff --git a/sig/openai/internal/transport/pooled_net_requester.rbs b/sig/openai/internal/transport/pooled_net_requester.rbs
@@ -17,7 +17,10 @@ module OpenAI
 
         DEFAULT_MAX_CONNECTIONS: Integer
 
-        def self.connect: (URI::Generic url) -> top
+        def self.connect: (
+          cert_store: OpenSSL::X509::Store,
+          url: URI::Generic
+        ) -> top
 
         def self.calibrate_socket_timeout: (top conn, Float deadline) -> void
 
