mcp-proxy-adapter 6.3.5__py3-none-any.whl → 6.3.6__py3-none-any.whl

mcp_proxy_adapter/core/client_security.py

@@ -74,15 +74,24 @@ class ClientSecurityManager:
     def _create_ssl_config(self) -> SSLConfig:
         """Create SSL configuration for client connections."""
         ssl_section = self.security_config.get("ssl", {})
+        
+        # Determine verify_mode based on verify_server setting
+        verify_server = ssl_section.get("verify_server", True)
+        if verify_server:
+            verify_mode = "CERT_REQUIRED"
+            check_hostname = True
+        else:
+            verify_mode = "CERT_NONE"
+            check_hostname = False
 
         return SSLConfig(
             enabled=ssl_section.get("enabled", False),
             cert_file=ssl_section.get("client_cert_file"),
             key_file=ssl_section.get("client_key_file"),
             ca_cert_file=ssl_section.get("ca_cert_file"),
-            verify_mode=ssl_section.get("verify_mode", "CERT_REQUIRED"),
+            verify_mode=verify_mode,
             min_tls_version=ssl_section.get("min_tls_version", "TLSv1.2"),
-            check_hostname=ssl_section.get("check_hostname", True),
+            check_hostname=check_hostname,
             check_expiry=ssl_section.get("check_expiry", True),
         )
 
@@ -107,8 +116,8 @@ class ClientSecurityManager:
 
             if server_hostname:
                 # Set server hostname for SNI
-                context.check_hostname = True
-                context.verify_mode = ssl.CERT_REQUIRED
+                # SSL verification settings are already configured in SSLManager
+                # based on verify_server configuration in _create_ssl_config()
 
             logger.info(
                 f"Client SSL context created for {server_hostname or 'unknown server'}"

mcp_proxy_adapter/version.py

@@ -2,4 +2,4 @@
 Version information for MCP Proxy Adapter.
 """
 
-__version__ = "6.3.5"
+__version__ = "6.3.6"

{mcp_proxy_adapter-6.3.5.dist-info → mcp_proxy_adapter-6.3.6.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-proxy-adapter
-Version: 6.3.5
+Version: 6.3.6
 Summary: Powerful JSON-RPC microservices framework with built-in security, authentication, and proxy registration
 Home-page: https://github.com/maverikod/mcp-proxy-adapter
 Author: Vasiliy Zdanovskiy

{mcp_proxy_adapter-6.3.5.dist-info → mcp_proxy_adapter-6.3.6.dist-info}/RECORD

@@ -4,7 +4,7 @@ mcp_proxy_adapter/config.py,sha256=-7iVS0mUWWKNeao7nqTAFlUD6FcMwRlDkchN7OwYsr0,2
 mcp_proxy_adapter/custom_openapi.py,sha256=yLle4CntYK9wpivgn9NflZyJhy-YNrmWjJzt0ai5nP0,14672
 mcp_proxy_adapter/main.py,sha256=Q5WxLVbQ5y9cdpcriFvIuILaxFyPyyxyxQ4OeU3xaYY,3193
 mcp_proxy_adapter/openapi.py,sha256=2UZOI09ZDRJuBYBjKbMyb2U4uASszoCMD5o_4ktRpvg,13480
-mcp_proxy_adapter/version.py,sha256=A4thGMP1TIorVTSMu7oOnJuatKeLCbedU_xenofVtqM,74
+mcp_proxy_adapter/version.py,sha256=Gn1VObxc75DJfaUYzoY-mCWYCASonlitN683s_sCoZQ,74
 mcp_proxy_adapter/api/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 mcp_proxy_adapter/api/app.py,sha256=22NIDGo6pGkOZnvBWeKv_-RIRye4YaYkIskVGIsCCMs,28600
 mcp_proxy_adapter/api/handlers.py,sha256=iyFGoEuUS1wxbV1ELA0zmaxIyQR7j4zw-4MrD-uIO6E,8294
@@ -59,7 +59,7 @@ mcp_proxy_adapter/core/auth_validator.py,sha256=q8TNkdolvP-gM6Bvecc6nrVG9al5J31p
 mcp_proxy_adapter/core/certificate_utils.py,sha256=yeDwi-j42CxK_g-r5_ragGFY_HdSgDfTWHVUjDHF6nI,38480
 mcp_proxy_adapter/core/client.py,sha256=qIbPl8prEwK2U65kl-vGJW2_imo1E4i6HxG_VpPeWpQ,21168
 mcp_proxy_adapter/core/client_manager.py,sha256=yD8HZJlOwmDbVU49YfzSbh1XZ-Vib8qfcLVAaH03Jdg,8832
-mcp_proxy_adapter/core/client_security.py,sha256=I0yjWbVFyR8Im1avatXuBApFeSZoG6iJJHArMhF4A2Q,13053
+mcp_proxy_adapter/core/client_security.py,sha256=3LIhZl9uUW9zXSllwX3RQutR583T_uIVluibEcwAr1A,13374
 mcp_proxy_adapter/core/config_converter.py,sha256=Wnnsrbw7DxtgDfLG-IyyzK-hkKu0_1yp7-7dW87tu_4,17422
 mcp_proxy_adapter/core/config_validator.py,sha256=M_iQqskKk5VfziNkXTJwjU97vEBLNSsXIqtpTQKHAcA,9644
 mcp_proxy_adapter/core/crl_utils.py,sha256=Jnwq2UN52IoCDZCwByRP3XNMOJexftb-mVaH6zes6Fc,11706
@@ -135,9 +135,10 @@ mcp_proxy_adapter/examples/scripts/generate_certificates_and_tokens.py,sha256=hU
 mcp_proxy_adapter/schemas/base_schema.json,sha256=v9G9cGMd4dRhCZsOQ_FMqOi5VFyVbI6Cf3fyIvOT9dc,2881
 mcp_proxy_adapter/schemas/openapi_schema.json,sha256=C3yLkwmDsvnLW9B5gnKKdBGl4zxkeU-rEmjTrNVsQU0,8405
 mcp_proxy_adapter/utils/config_generator.py,sha256=UXxuxxAyKTesAS3DOofQ26e20v771inA7EfBV8PZD1c,47543
-mcp_proxy_adapter-6.3.5.dist-info/licenses/LICENSE,sha256=6KdtUcTwmTRbJrAmYjVn7e6S-V42ubeDJ-AiVEzZ510,1075
-mcp_proxy_adapter-6.3.5.dist-info/METADATA,sha256=xuV_AjVe_gnk1r-mNElVj9TvgyzfBpr44DIT_3ZWgF0,22347
-mcp_proxy_adapter-6.3.5.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-mcp_proxy_adapter-6.3.5.dist-info/entry_points.txt,sha256=J3eV6ID0lt_VSp4lIdIgBFTqLCThgObNNxRCbyfiMHw,70
-mcp_proxy_adapter-6.3.5.dist-info/top_level.txt,sha256=JZT7vPLBYrtroX-ij68JBhJYbjDdghcV-DFySRy-Nnw,18
-mcp_proxy_adapter-6.3.5.dist-info/RECORD,,
+mcp_proxy_adapter-6.3.6.dist-info/licenses/LICENSE,sha256=6KdtUcTwmTRbJrAmYjVn7e6S-V42ubeDJ-AiVEzZ510,1075
+mcp_proxy_adapter_issue_package/demonstrate_issue.py,sha256=NDyiWSjQHly4ji1sB4ZqdmOFyZlPQ4Id80dTrRwcmoE,7736
+mcp_proxy_adapter-6.3.6.dist-info/METADATA,sha256=eaKlcNLOyaQ2QBKtFYen8ugwyOcYnfFqq4-2b7lz4vc,22347
+mcp_proxy_adapter-6.3.6.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+mcp_proxy_adapter-6.3.6.dist-info/entry_points.txt,sha256=J3eV6ID0lt_VSp4lIdIgBFTqLCThgObNNxRCbyfiMHw,70
+mcp_proxy_adapter-6.3.6.dist-info/top_level.txt,sha256=CHk-Mc-AxjO-tRheegA2qLiQnU4vZRnxuTF81So6SAc,50
+mcp_proxy_adapter-6.3.6.dist-info/RECORD,,

mcp_proxy_adapter-6.3.6.dist-info/top_level.txt

@@ -0,0 +1,2 @@
+mcp_proxy_adapter
+mcp_proxy_adapter_issue_package

mcp_proxy_adapter_issue_package/demonstrate_issue.py

@@ -0,0 +1,178 @@
+#!/usr/bin/env python3
+"""
+Demonstration script showing the mcp_proxy_adapter SSL verification issue.
+This script reproduces the problem where verify_server: false is ignored.
+
+Author: Vasiliy Zdanovskiy
+email: vasilyvz@gmail.com
+"""
+import ssl
+import asyncio
+import aiohttp
+import logging
+from pathlib import Path
+
+# Setup logging
+logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
+logger = logging.getLogger(__name__)
+
+class MockSSLConfig:
+    """Mock SSL configuration to demonstrate the issue."""
+    
+    def __init__(self, verify_server=True):
+        self.verify_server = verify_server
+        self.ca_cert_file = "certs/mtls/truststore.pem"
+        self.client_cert_file = "certs/mtls/client/embedding-service.pem"
+        self.client_key_file = "certs/mtls/client/embedding-service.key"
+
+def create_client_ssl_context_broken(ssl_config: MockSSLConfig) -> ssl.SSLContext:
+    """
+    BROKEN: This is how mcp_proxy_adapter currently works.
+    It hardcodes CERT_REQUIRED, ignoring the verify_server setting.
+    """
+    logger.info("🔴 Creating SSL context (BROKEN - current mcp_proxy_adapter behavior)")
+    logger.info(f"   Configuration: verify_server={ssl_config.verify_server}")
+    
+    try:
+        ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        
+        # Load CA certificate if provided
+        if ssl_config.ca_cert_file and Path(ssl_config.ca_cert_file).exists():
+            ssl_context.load_verify_locations(ssl_config.ca_cert_file)
+            logger.info(f"   ✅ Loaded CA certificate: {ssl_config.ca_cert_file}")
+        
+        # Load client certificate if provided
+        if (ssl_config.client_cert_file and ssl_config.client_key_file and 
+            Path(ssl_config.client_cert_file).exists() and Path(ssl_config.client_key_file).exists()):
+            ssl_context.load_cert_chain(
+                ssl_config.client_cert_file,
+                ssl_config.client_key_file
+            )
+            logger.info(f"   ✅ Loaded client certificate: {ssl_config.client_cert_file}")
+        
+        # PROBLEM: This line hardcodes CERT_REQUIRED, ignoring configuration
+        ssl_context.verify_mode = ssl.CERT_REQUIRED
+        logger.info("   ❌ HARDCODED: ssl_context.verify_mode = ssl.CERT_REQUIRED")
+        logger.info("   ❌ IGNORES: verify_server=False configuration!")
+        
+        return ssl_context
+    except Exception as e:
+        logger.error(f"   ❌ Failed to create SSL context: {e}")
+        return ssl.create_default_context()
+
+def create_client_ssl_context_fixed(ssl_config: MockSSLConfig) -> ssl.SSLContext:
+    """
+    FIXED: This is how mcp_proxy_adapter should work.
+    It respects the verify_server configuration setting.
+    """
+    logger.info("🟢 Creating SSL context (FIXED - proposed solution)")
+    logger.info(f"   Configuration: verify_server={ssl_config.verify_server}")
+    
+    try:
+        ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        
+        # Load CA certificate if provided
+        if ssl_config.ca_cert_file and Path(ssl_config.ca_cert_file).exists():
+            ssl_context.load_verify_locations(ssl_config.ca_cert_file)
+            logger.info(f"   ✅ Loaded CA certificate: {ssl_config.ca_cert_file}")
+        
+        # Load client certificate if provided
+        if (ssl_config.client_cert_file and ssl_config.client_key_file and 
+            Path(ssl_config.client_cert_file).exists() and Path(ssl_config.client_key_file).exists()):
+            ssl_context.load_cert_chain(
+                ssl_config.client_cert_file,
+                ssl_config.client_key_file
+            )
+            logger.info(f"   ✅ Loaded client certificate: {ssl_config.client_cert_file}")
+        
+        # FIX: Respect the verify_server configuration
+        if not ssl_config.verify_server:
+            ssl_context.check_hostname = False  # Must be set BEFORE verify_mode
+            ssl_context.verify_mode = ssl.CERT_NONE
+            logger.info("   ✅ RESPECTS: ssl_context.check_hostname = False")
+            logger.info("   ✅ RESPECTS: ssl_context.verify_mode = ssl.CERT_NONE (verify_server=False)")
+        else:
+            ssl_context.verify_mode = ssl.CERT_REQUIRED
+            logger.info("   ✅ RESPECTS: ssl_context.verify_mode = ssl.CERT_REQUIRED (verify_server=True)")
+        
+        return ssl_context
+    except Exception as e:
+        logger.error(f"   ❌ Failed to create SSL context: {e}")
+        return ssl.create_default_context()
+
+async def test_connection(ssl_context: ssl.SSLContext, url: str, description: str):
+    """Test connection with the given SSL context."""
+    logger.info(f"\n🧪 Testing connection: {description}")
+    logger.info(f"   URL: {url}")
+    
+    try:
+        connector = aiohttp.TCPConnector(ssl=ssl_context)
+        async with aiohttp.ClientSession(connector=connector) as session:
+            async with session.get(url, timeout=aiohttp.ClientTimeout(total=5)) as response:
+                logger.info(f"   ✅ SUCCESS: HTTP {response.status}")
+                return True
+    except ssl.SSLCertVerificationError as e:
+        logger.error(f"   ❌ SSL VERIFICATION ERROR: {e}")
+        return False
+    except Exception as e:
+        logger.error(f"   ❌ CONNECTION ERROR: {e}")
+        return False
+
+async def main():
+    """Main demonstration function."""
+    logger.info("🚀 mcp_proxy_adapter SSL Verification Issue Demonstration")
+    logger.info("=" * 70)
+    
+    # Test URL with self-signed certificate
+    test_url = "https://127.0.0.1:3004/health"
+    
+    # Configuration with verify_server=False (should be respected)
+    config = MockSSLConfig(verify_server=False)
+    
+    logger.info(f"\n📋 Test Configuration:")
+    logger.info(f"   URL: {test_url}")
+    logger.info(f"   verify_server: {config.verify_server}")
+    logger.info(f"   CA cert: {config.ca_cert_file}")
+    logger.info(f"   Client cert: {config.client_cert_file}")
+    
+    # Test 1: Current broken behavior
+    logger.info(f"\n" + "="*50)
+    logger.info("TEST 1: Current mcp_proxy_adapter behavior (BROKEN)")
+    logger.info("="*50)
+    
+    broken_ssl_context = create_client_ssl_context_broken(config)
+    broken_result = await test_connection(broken_ssl_context, test_url, "BROKEN - ignores verify_server=False")
+    
+    # Test 2: Proposed fixed behavior
+    logger.info(f"\n" + "="*50)
+    logger.info("TEST 2: Proposed fixed behavior")
+    logger.info("="*50)
+    
+    fixed_ssl_context = create_client_ssl_context_fixed(config)
+    fixed_result = await test_connection(fixed_ssl_context, test_url, "FIXED - respects verify_server=False")
+    
+    # Summary
+    logger.info(f"\n" + "="*50)
+    logger.info("SUMMARY")
+    logger.info("="*50)
+    logger.info(f"🔴 Current behavior (broken): {'FAILED' if not broken_result else 'SUCCESS'}")
+    logger.info(f"🟢 Proposed fix: {'SUCCESS' if fixed_result else 'FAILED'}")
+    
+    if not broken_result and fixed_result:
+        logger.info("\n✅ DEMONSTRATION SUCCESSFUL!")
+        logger.info("   The issue is confirmed: verify_server=False is ignored")
+        logger.info("   The proposed fix works: verify_server=False is respected")
+    elif broken_result and not fixed_result:
+        logger.info("\n❓ UNEXPECTED RESULT")
+        logger.info("   Both approaches failed - may be a different issue")
+    else:
+        logger.info("\n❓ INCONCLUSIVE")
+        logger.info("   Results don't clearly demonstrate the issue")
+
+if __name__ == "__main__":
+    try:
+        asyncio.run(main())
+    except KeyboardInterrupt:
+        logger.info("\n🛑 Demonstration interrupted by user")
+    except Exception as e:
+        logger.error(f"\n❌ Demonstration error: {e}")

mcp_proxy_adapter-6.3.5.dist-info/top_level.txt

@@ -1 +0,0 @@
-mcp_proxy_adapter