feat: Add SSL verification option (verify parameter) to MCPServerHTTP and MCPServerSSE

This commit adds a 'verify' parameter to MCPServerHTTP and MCPServerSSE configurations, allowing users to disable SSL certificate verification or specify a custom CA bundle path when connecting to MCP servers. This is useful for enterprise environments where: - Corporate proxies intercept HTTPS traffic with self-signed certificates - Internal certificate authorities are not in the default trust store - Development/staging environments use self-signed certificates Changes: - Add 'verify' parameter to MCPServerHTTP and MCPServerSSE config classes (default: True, accepts bool or str for CA bundle path) - Add 'verify' parameter to HTTPTransport and SSETransport classes - Create custom httpx_client_factory that preserves MCP defaults while allowing SSL verification customization - Update agent/core.py to pass verify parameter when creating transports - Add comprehensive tests for the new functionality Closes #4100 Co-Authored-By: João <joao@crewai.com>
2026-05-03 16:22:49 +00:00 · 2025-12-16 15:18:17 +00:00
parent 88d3c0fa97
commit 1d1c68792a
8 changed files with 4682 additions and 4169 deletions
--- a/lib/crewai/tests/mcp/test_mcp_config.py
+++ b/lib/crewai/tests/mcp/test_mcp_config.py
@@ -198,3 +198,187 @@ async def test_mcp_tool_execution_in_async_context(mock_tool_definitions):

        assert result == "test result"
        mock_client.call_tool.assert_called()
+
+
+def test_http_mcp_config_verify_default():
+    """Test MCPServerHTTP has verify=True by default."""
+    http_config = MCPServerHTTP(url="https://api.example.com/mcp")
+    assert http_config.verify is True
+
+
+def test_http_mcp_config_verify_false():
+    """Test MCPServerHTTP with verify=False."""
+    http_config = MCPServerHTTP(
+        url="https://api.example.com/mcp",
+        verify=False,
+    )
+    assert http_config.verify is False
+
+
+def test_http_mcp_config_verify_ca_bundle():
+    """Test MCPServerHTTP with custom CA bundle path."""
+    http_config = MCPServerHTTP(
+        url="https://api.example.com/mcp",
+        verify="/path/to/ca-bundle.crt",
+    )
+    assert http_config.verify == "/path/to/ca-bundle.crt"
+
+
+def test_sse_mcp_config_verify_default():
+    """Test MCPServerSSE has verify=True by default."""
+    sse_config = MCPServerSSE(url="https://api.example.com/mcp/sse")
+    assert sse_config.verify is True
+
+
+def test_sse_mcp_config_verify_false():
+    """Test MCPServerSSE with verify=False."""
+    sse_config = MCPServerSSE(
+        url="https://api.example.com/mcp/sse",
+        verify=False,
+    )
+    assert sse_config.verify is False
+
+
+def test_sse_mcp_config_verify_ca_bundle():
+    """Test MCPServerSSE with custom CA bundle path."""
+    sse_config = MCPServerSSE(
+        url="https://api.example.com/mcp/sse",
+        verify="/path/to/ca-bundle.crt",
+    )
+    assert sse_config.verify == "/path/to/ca-bundle.crt"
+
+
+def test_agent_with_http_mcp_config_verify_false(mock_tool_definitions):
+    """Test agent setup with MCPServerHTTP configuration with verify=False."""
+    http_config = MCPServerHTTP(
+        url="https://api.example.com/mcp",
+        headers={"Authorization": "Bearer test_token"},
+        verify=False,
+    )
+
+    agent = Agent(
+        role="Test Agent",
+        goal="Test goal",
+        backstory="Test backstory",
+        mcps=[http_config],
+    )
+
+    with patch("crewai.agent.core.MCPClient") as mock_client_class:
+        mock_client = AsyncMock()
+        mock_client.list_tools = AsyncMock(return_value=mock_tool_definitions)
+        mock_client.connected = False
+        mock_client.connect = AsyncMock()
+        mock_client.disconnect = AsyncMock()
+        mock_client_class.return_value = mock_client
+
+        tools = agent.get_mcp_tools([http_config])
+
+        assert len(tools) == 2
+        assert all(isinstance(tool, BaseTool) for tool in tools)
+
+        mock_client_class.assert_called_once()
+        call_args = mock_client_class.call_args
+        transport = call_args.kwargs["transport"]
+        assert transport.url == "https://api.example.com/mcp"
+        assert transport.headers == {"Authorization": "Bearer test_token"}
+        assert transport.verify is False
+
+
+def test_agent_with_http_mcp_config_verify_ca_bundle(mock_tool_definitions):
+    """Test agent setup with MCPServerHTTP configuration with custom CA bundle."""
+    http_config = MCPServerHTTP(
+        url="https://api.example.com/mcp",
+        verify="/path/to/ca-bundle.crt",
+    )
+
+    agent = Agent(
+        role="Test Agent",
+        goal="Test goal",
+        backstory="Test backstory",
+        mcps=[http_config],
+    )
+
+    with patch("crewai.agent.core.MCPClient") as mock_client_class:
+        mock_client = AsyncMock()
+        mock_client.list_tools = AsyncMock(return_value=mock_tool_definitions)
+        mock_client.connected = False
+        mock_client.connect = AsyncMock()
+        mock_client.disconnect = AsyncMock()
+        mock_client_class.return_value = mock_client
+
+        tools = agent.get_mcp_tools([http_config])
+
+        assert len(tools) == 2
+
+        mock_client_class.assert_called_once()
+        call_args = mock_client_class.call_args
+        transport = call_args.kwargs["transport"]
+        assert transport.verify == "/path/to/ca-bundle.crt"
+
+
+def test_agent_with_sse_mcp_config_verify_false(mock_tool_definitions):
+    """Test agent setup with MCPServerSSE configuration with verify=False."""
+    sse_config = MCPServerSSE(
+        url="https://api.example.com/mcp/sse",
+        headers={"Authorization": "Bearer test_token"},
+        verify=False,
+    )
+
+    agent = Agent(
+        role="Test Agent",
+        goal="Test goal",
+        backstory="Test backstory",
+        mcps=[sse_config],
+    )
+
+    with patch("crewai.agent.core.MCPClient") as mock_client_class:
+        mock_client = AsyncMock()
+        mock_client.list_tools = AsyncMock(return_value=mock_tool_definitions)
+        mock_client.connected = False
+        mock_client.connect = AsyncMock()
+        mock_client.disconnect = AsyncMock()
+        mock_client_class.return_value = mock_client
+
+        tools = agent.get_mcp_tools([sse_config])
+
+        assert len(tools) == 2
+        assert all(isinstance(tool, BaseTool) for tool in tools)
+
+        mock_client_class.assert_called_once()
+        call_args = mock_client_class.call_args
+        transport = call_args.kwargs["transport"]
+        assert transport.url == "https://api.example.com/mcp/sse"
+        assert transport.headers == {"Authorization": "Bearer test_token"}
+        assert transport.verify is False
+
+
+def test_agent_with_sse_mcp_config_verify_ca_bundle(mock_tool_definitions):
+    """Test agent setup with MCPServerSSE configuration with custom CA bundle."""
+    sse_config = MCPServerSSE(
+        url="https://api.example.com/mcp/sse",
+        verify="/path/to/ca-bundle.crt",
+    )
+
+    agent = Agent(
+        role="Test Agent",
+        goal="Test goal",
+        backstory="Test backstory",
+        mcps=[sse_config],
+    )
+
+    with patch("crewai.agent.core.MCPClient") as mock_client_class:
+        mock_client = AsyncMock()
+        mock_client.list_tools = AsyncMock(return_value=mock_tool_definitions)
+        mock_client.connected = False
+        mock_client.connect = AsyncMock()
+        mock_client.disconnect = AsyncMock()
+        mock_client_class.return_value = mock_client
+
+        tools = agent.get_mcp_tools([sse_config])
+
+        assert len(tools) == 2
+
+        mock_client_class.assert_called_once()
+        call_args = mock_client_class.call_args
+        transport = call_args.kwargs["transport"]
+        assert transport.verify == "/path/to/ca-bundle.crt"