You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
.Net: Fix#13183: .NET — Kernel.AddOpenAIChatClient throws an error when us… (#13198)
### Motivation and Context
1. Why is this change required?
When using AddOpenAIChatClient with a custom endpoint parameter but
without providing a custom httpClient, the code would create an
HttpClient without setting its BaseAddress property. This mismatch
between the HttpClient configuration and the
OpenAIClientOptions.Endpoint setting causes SSL/TLS handshake failures.
2. What problem does it solve?
This PR fixes the SSL connection error
(System.ClientModel.ClientResultException: The SSL connection could not
be established) that occurs when users call:
```
var kernel = Kernel.CreateBuilder()
.AddOpenAIChatClient(
modelId: "model-name",
apiKey: "api-key",
endpoint: new Uri("https://custom-endpoint.com")
)
.Build();
```
3. What scenario does it contribute to?
This enables users to easily connect to OpenAI-compatible endpoints
(such as Azure OpenAI, local LLM servers, or other OpenAI-compatible
APIs) without having to manually create and configure an HttpClient
instance.
Fixes SSL connection failures when using custom endpoints with the
default HttpClient.
4. Related Issue:
#13183
### Description
Changes made:
Fixed invalid GetOpenAIClientOptions call in the first overload (lines
40-77):
Removed the unused GetOpenAIClientOptions call at lines 56-59
Added missing endpoint and orgId parameters to the
GetOpenAIClientOptions call used in OpenAIClient construction
Fixed SSL issue in the third overload with custom endpoint (lines
125-170):
Added logic to ensure the HttpClient has the correct BaseAddress when
using a custom endpoint
When no custom httpClient is provided and the default client has no
BaseAddress, creates a new HttpClient with BaseAddress set to the
provided endpoint
This ensures consistency between the HttpClient.BaseAddress and
OpenAIClientOptions.Endpoint, preventing SSL certificate validation
failures
Verified AddOpenAIEmbeddingGenerator methods:
Confirmed both overloads are correctly implemented with no similar
issues
The root cause was that HttpClientPipelineTransport uses the HttpClient
for making requests, but when the HttpClient.BaseAddress is null and the
endpoint is only set in OpenAIClientOptions.Endpoint, the SSL/TLS
handshake fails due to hostname mismatch during certificate validation.
The fix ensures that when a custom endpoint is provided, the HttpClient
is properly configured with the matching BaseAddress, allowing SSL/TLS
to validate the certificate correctly.
### Contribution Checklist
<!-- Before submitting this PR, please make sure: -->
- [V ] The code builds clean without any errors or warnings
- [ V] The PR follows the [SK Contribution
Guidelines](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md)
and the [pre-submission formatting
script](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md#development-scripts)
raises no violations
- [V ] All unit tests pass, and I have added new tests where possible
- [V ] I didn't break anyone 😄
---------
Co-authored-by: Roger Barreto <[email protected]>
Co-authored-by: westey <[email protected]>
Copy file name to clipboardExpand all lines: dotnet/src/Connectors/Connectors.OpenAI/Extensions/OpenAIServiceCollectionExtensions.DependencyInjection.cs
0 commit comments