Skip to content

[EVAL] feat: add certificate trust configuration for MCP servers #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 19 commits into from
Closed

[EVAL] feat: add certificate trust configuration for MCP servers #12

wants to merge 19 commits into from

Conversation

@daniel-lxs
Copy link
Contributor

@daniel-lxs daniel-lxs commented Oct 9, 2025

🧪 Evaluation PR for Testing

This is an automated test PR created for evaluation purposes.

Summary

This PR addresses Issue #8355 by adding certificate trust configuration support for MCP servers using HTTPS connections (SSE and StreamableHTTP transports).

Problem

MCP servers using self-signed or internal CA-signed certificates cannot be used because there's no way to specify trust information for these certificates. This prevents users from connecting to MCP servers in development environments or corporate networks with internal certificate authorities.

Solution

Added a certificateTrust configuration option for SSE and StreamableHTTP server types with three settings:

  • allowSelfSigned: Allow self-signed certificates (for development)
  • caCertPath: Path to custom CA certificate file (for internal CAs)
  • rejectUnauthorized: Control certificate validation (defaults to true for security)

Changes

  • ✅ Added CertificateTrustSchema to validate certificate trust configuration
  • ✅ Implemented HTTPS agent configuration for SSE transport using custom fetch
  • ✅ Implemented HTTPS agent configuration for StreamableHTTP transport
  • ✅ Added comprehensive test coverage for all configuration scenarios
  • ✅ Created detailed documentation with examples and security considerations

Testing

  • All existing tests pass
  • Added 6 new test cases covering certificate trust configuration
  • TypeScript type checking passes
  • Linting passes

Security Considerations

  • Defaults to secure settings (rejectUnauthorized: true)
  • Documentation includes clear warnings about development-only settings
  • Proper error handling for certificate file loading

Documentation

Added comprehensive documentation in docs/mcp-certificate-trust.md including:

  • Configuration examples for all scenarios
  • Security best practices
  • Certificate format conversion instructions
  • Troubleshooting guide

roomote and others added 19 commits September 28, 2025 18:43
@roomote
feat: add certificate trust configuration for MCP servers
a158c21 
- Add certificateTrust configuration options for SSE and StreamableHTTP transports
- Support allowSelfSigned, caCertPath, and rejectUnauthorized options
- Implement HTTPS agent configuration for Node.js fetch operations
- Add comprehensive tests for certificate trust configuration
- Add documentation explaining usage and security considerations

Fixes #8355
@roomote
fix: resolve TypeScript type error for agent property in fetch
b73bd7c 
- Use spread operator with type assertion for Node.js-specific agent property
- Ensures compatibility with standard RequestInit type while allowing HTTPS agent
@daniel-lxs
test: webhook throttle test commit 1
e2b5556
@daniel-lxs
test: webhook throttle test commit 2
2ad3209
@daniel-lxs
test: webhook throttle test commit 3
c533ebb
@daniel-lxs
test: webhook throttle test commit 4
ff458a5
@daniel-lxs
test: webhook commit 5 - testing 5min timeout with running task
d04abc0
@daniel-lxs
test: webhook commit 6
a11aad8
@daniel-lxs
test: webhook commit 7
a57d035
@daniel-lxs
test: webhook commit 8
6fa6924
@daniel-lxs
test: webhook commit 9
5922c94
@daniel-lxs
test: webhook commit 10
cf6abc7
@daniel-lxs
test: webhook commit 11
6f1b0c5
@daniel-lxs
test: webhook commit 12
4a963a1
@daniel-lxs
test: webhook commit 13
6a0fbdc
@daniel-lxs
test: webhook commit 14
91530f9
@daniel-lxs
test: webhook commit 15
39dbeee
@daniel-lxs
test: webhook commit 16
afa5eb9
@daniel-lxs
test: webhook commit 17
1cfb8da
@daniel-lxs daniel-lxs closed this Oct 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@daniel-lxs @roomote