fix: Enable MTLS client certificate verification when server_tls_cafi… #1157
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…le is configured The server_tls_cafile configuration parameter was already defined and documented, but was not being used in create_server_ssl_context() to enable client certificate verification. This fix implements the missing MTLS functionality. Changes: - Load CA certificate and set ssl.CERT_REQUIRED when server_tls_cafile is provided - Add validation for server_tls_cafile parameter - Add logging to indicate MTLS status - Add unit tests for MTLS validation and error handling This is fully backward compatible - MTLS is only enabled when server_tls_cafile is explicitly configured.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
About this change - What it does
Fixes MTLS (Mutual TLS) client certificate verification by implementing the missing logic in create_server_ssl_context(). The server_tls_cafile configuration parameter was already defined, documented, and passed to uvicorn, but was not being used to actually enforce client certificate verification.
References: N/A (bug fix for existing feature)
Why this way
The server_tls_cafile parameter has been part of the Config class since the beginning and is already:
Defined in the Config model (line 85)
Documented in README.rst
Used in integration test fixtures (registry_async_pair_tls, etc.)
Passed to uvicorn as ssl_ca_certs in main.py
However, the create_server_ssl_context() function was not using this parameter to enable client certificate verification. This fix:
Loads the CA certificate when server_tls_cafile is provided
Sets ssl.CERT_REQUIRED to enforce client certificate verification (MTLS)
Sets ssl.CERT_NONE when CA file is not provided (standard TLS behavior)
Adds validation for the CA file path
Adds logging to clearly indicate whether MTLS is enabled or not
This approach is:
Minimal: Only 17 lines added
Backward compatible: MTLS only enabled when explicitly configured
Consistent: Follows the same validation pattern as server_tls_certfile and server_tls_keyfile
Well-tested: Includes 9 new unit tests covering validation, error handling, and MTLS enforcement
The fix ensures that existing integration tests that configure server_tls_cafile will now properly enforce MTLS as originally intended.