fix(mcp): keep global TLS opt-out from disabling MCP verification#12611
Open
rodboev wants to merge 1 commit into
Open
fix(mcp): keep global TLS opt-out from disabling MCP verification#12611rodboev wants to merge 1 commit into
rodboev wants to merge 1 commit into
Conversation
dosubot
Bot
added
the
size:L
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Global
requestOptions.verifySsl: falsewas flowing into remote MCP server configs even when the MCP server block did not opt out of TLS verification. That madecore/context/mcp/MCPConnection.tsbuildHttpsAgent({ rejectUnauthorized: false })for SSE and streamable HTTP transports based on a global provider setting.This change scopes MCP request-option inheritance more narrowly. Remote MCP servers still inherit unrelated global request options such as headers and proxy settings, but
verifySslonly applies when it is set explicitly on that MCP server.Addresses the TLS verification part of #11468.
Changes
core/config/yaml/yamlToContinueConfig.tsthat stripsverifySslfrom global request options before merging.core/config/load.tsforexperimental.modelContextProtocolServersnon-stdio transports.core/config/yaml/loadYaml.vitest.tswith regression coverage for globalverifySsl: falseon SSE and streamable HTTP, explicit per-serververifySsl: false, explicit per-serververifySsl: true, empty-options behavior, and preservation of unrelated global request options.What This Doesn't Change
requestOptionsinheritance is unchanged.requestOptions.verifySsl: falseremains the escape hatch for insecure TLS.Test Plan
cd core && npx vitest run config/yaml/loadYaml.vitest.ts10/10 passing. Covers the MCP config conversion path, including the base-regression case where global
verifySsl: falseused to propagate into remote MCP request options, plus explicit per-serververifySsloverrides, empty-options behavior, and inheritance of unrelated global request options.Summary by cubic
Prevented global
requestOptions.verifySsl: falsefrom disabling TLS checks for remote MCP servers. Only server-level MCPverifySslnow opts out; headers, proxy, timeouts, and cert options still inherit from global settings.mergeMcpRequestOptionsto strip globalverifySslbefore merging into MCP configs.verifySsltrue/false, empty options, and inheritance of unrelated options.Written for commit a37a046. Summary will update on new commits.