Merge pull request #477 from stakpak/fix/warden-tls-interception-platform-verifier

ahmedhesham6 · web-flow · commit a44ca94b3052 · 2026-02-02T14:51:43.000+01:00
fix: use platform TLS verifier in MCP proxy/client for warden CA trust
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/libs/mcp/client/Cargo.toml b/libs/mcp/client/Cargo.toml
@@ -17,6 +17,8 @@ rmcp = { workspace = true }
 futures = { workspace = true }
 uuid = { workspace = true }
 reqwest = { workspace = true }
+rustls = { workspace = true }
+rustls-platform-verifier = { workspace = true }
 
 [lints.clippy]
 unwrap_used = "deny"
diff --git a/libs/mcp/client/src/lib.rs b/libs/mcp/client/src/lib.rs
@@ -34,10 +34,22 @@ pub async fn connect_https(
         .pool_max_idle_per_host(10)
         .tcp_keepalive(std::time::Duration::from_secs(60));
 
-    // Configure mTLS if certificate chain is provided
+    // Configure TLS: use mTLS cert chain if provided, otherwise use
+    // platform-verified TLS so the OS CA store is trusted.
     if let Some(cert_chain) = certificate_chain {
         let tls_config = cert_chain.create_client_config()?;
         client_builder = client_builder.use_preconfigured_tls(tls_config);
+    } else {
+        let arc_crypto_provider = std::sync::Arc::new(rustls::crypto::ring::default_provider());
+        if let Ok(tls_config) = rustls::ClientConfig::builder_with_provider(arc_crypto_provider)
+            .with_safe_default_protocol_versions()
+            .map(|builder| {
+                rustls_platform_verifier::BuilderVerifierExt::with_platform_verifier(builder)
+                    .with_no_client_auth()
+            })
+        {
+            client_builder = client_builder.use_preconfigured_tls(tls_config);
+        }
     }
 
     let http_client = client_builder.build()?;
diff --git a/libs/mcp/proxy/Cargo.toml b/libs/mcp/proxy/Cargo.toml
@@ -17,5 +17,7 @@ rmcp = { workspace = true }
 tracing = { workspace = true }
 toml = { workspace = true }
 reqwest = { workspace = true }
+rustls = { workspace = true }
+rustls-platform-verifier = { workspace = true }
 axum = { workspace = true }
 axum-server = { workspace = true }
diff --git a/libs/mcp/proxy/src/server/mod.rs b/libs/mcp/proxy/src/server/mod.rs
@@ -374,7 +374,9 @@ impl ProxyServer {
                     .pool_max_idle_per_host(10)
                     .tcp_keepalive(std::time::Duration::from_secs(60));
 
-                // Configure mTLS if certificate chain is provided
+                // Configure TLS: use mTLS cert chain if provided, otherwise use
+                // platform-verified TLS so the OS CA store is trusted (needed for
+                // warden container where a custom CA is installed).
                 if let Some(cert_chain) = certificate_chain.as_ref() {
                     match cert_chain.create_client_config() {
                         Ok(tls_config) => {
@@ -385,6 +387,22 @@ impl ProxyServer {
                             return;
                         }
                     }
+                } else {
+                    // No mTLS cert chain — use platform verifier to trust system CA store
+                    let arc_crypto_provider =
+                        std::sync::Arc::new(rustls::crypto::ring::default_provider());
+                    if let Ok(tls_config) = rustls::ClientConfig::builder_with_provider(
+                        arc_crypto_provider,
+                    )
+                    .with_safe_default_protocol_versions()
+                    .map(|builder| {
+                        rustls_platform_verifier::BuilderVerifierExt::with_platform_verifier(
+                            builder,
+                        )
+                        .with_no_client_auth()
+                    }) {
+                        client_builder = client_builder.use_preconfigured_tls(tls_config);
+                    }
                 }
 
                 if let Some(headers_map) = headers {
