[BUG] Sandbox blocks OCSP/CRL certificate validation traffic, breaking HTTPS for allowed domains
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When a domain is added to sandbox.network.allowedDomains, Python (and potentially other runtimes) still fail to make HTTPS connections to it because the sandbox also blocks outbound HTTP traffic to OCSP/CRL servers used for certificate chain validation.
These OCSP requests go to CA-specific domains (r3.o.lencr.org for Let's Encrypt, ocsp.digicert.com, etc.) that are not in the allowlist — even though the user has no reason to know about them.
Expected behavior: Allowing a domain in allowedDomains should implicitly permit the certificate validation traffic required to establish a secure connection to that domain.
Actual behavior: SSL handshake fails with SSLCertVerificationError: OSStatus -26276 on macOS Python 3.14, even when the target domain is explicitly allowed.
Workaround: Manually add OCSP domains to the allowlist, or set PIP_TRUSTED_HOST to skip verification.
Platform: macOS, Python 3.14 (uses Apple Security framework for TLS, not OpenSSL), VS Code Claude Extension
What Should Happen?
Expected behavior: Allowing a domain in allowedDomains should implicitly permit the certificate validation traffic required to establish a secure connection to that domain.
Error Messages/Logs
Steps to Reproduce
- Add any HTTPS domain to
sandbox.network.allowedDomainsin~/.claude/settings.json:
```json
{
"sandbox": {
"enabled": true,
"network": {
"allowedDomains": ["pypi.org", "files.pythonhosted.org"]
}
}
}
Ask Claude to run a sandboxed Bash command that makes an HTTPS request to that domain:
pip install requests
or with curl:
curl -s https://pypi.org/pypi/requests/json | head -5
Observe the SSL error:
SSLError(SSLCertVerificationError('OSStatus -26276'))
or for curl:
curl: (60) SSL certificate problem: unable to get local issuer certificate
To confirm it's OCSP: run the same command with sandbox disabled (dangerouslyDisableSandbox: true) — it succeeds.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
claude-sonnet-4-6
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
VS Code integrated terminal
Additional Information
I use the Claude VS Code Extension if it matters.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗