[BUG] Sandbox blocks OCSP/CRL certificate validation traffic, breaking HTTPS for allowed domains

Resolved 💬 4 comments Opened Apr 8, 2026 by rkosolapov Closed May 22, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When a domain is added to sandbox.network.allowedDomains, Python (and potentially other runtimes) still fail to make HTTPS connections to it because the sandbox also blocks outbound HTTP traffic to OCSP/CRL servers used for certificate chain validation.

These OCSP requests go to CA-specific domains (r3.o.lencr.org for Let's Encrypt, ocsp.digicert.com, etc.) that are not in the allowlist — even though the user has no reason to know about them.

Expected behavior: Allowing a domain in allowedDomains should implicitly permit the certificate validation traffic required to establish a secure connection to that domain.

Actual behavior: SSL handshake fails with SSLCertVerificationError: OSStatus -26276 on macOS Python 3.14, even when the target domain is explicitly allowed.

Workaround: Manually add OCSP domains to the allowlist, or set PIP_TRUSTED_HOST to skip verification.

Platform: macOS, Python 3.14 (uses Apple Security framework for TLS, not OpenSSL), VS Code Claude Extension

What Should Happen?

Expected behavior: Allowing a domain in allowedDomains should implicitly permit the certificate validation traffic required to establish a secure connection to that domain.

Error Messages/Logs

Steps to Reproduce

  1. Add any HTTPS domain to sandbox.network.allowedDomains in ~/.claude/settings.json:

```json
{
"sandbox": {
"enabled": true,
"network": {
"allowedDomains": ["pypi.org", "files.pythonhosted.org"]
}
}
}
Ask Claude to run a sandboxed Bash command that makes an HTTPS request to that domain:

pip install requests
or with curl:

curl -s https://pypi.org/pypi/requests/json | head -5
Observe the SSL error:

SSLError(SSLCertVerificationError('OSStatus -26276'))
or for curl:

curl: (60) SSL certificate problem: unable to get local issuer certificate
To confirm it's OCSP: run the same command with sandbox disabled (dangerouslyDisableSandbox: true) — it succeeds.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

claude-sonnet-4-6

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

VS Code integrated terminal

Additional Information

I use the Claude VS Code Extension if it matters.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗