fix(mcp): respect ssl_verify config for StreamableHTTP servers#13038
Closed
lmoncany wants to merge 1 commit into
Closed
fix(mcp): respect ssl_verify config for StreamableHTTP servers#13038lmoncany wants to merge 1 commit into
lmoncany wants to merge 1 commit into
Conversation
When an MCP server config has ssl_verify: false (e.g. local dev with a self-signed cert), the setting was read from config.yaml but never passed to the httpx client, causing CERTIFICATE_VERIFY_FAILED errors and silent connection failures. Fix: read ssl_verify from config and pass it as the 'verify' kwarg to both code paths: - New API (mcp >= 1.24.0): httpx.AsyncClient(verify=ssl_verify) - Legacy API (mcp < 1.24.0): streamablehttp_client(..., verify=ssl_verify) Fixes local dev setups using ServBay, LocalWP, MAMP, or any stack with a self-signed TLS certificate.
Contributor
briandevans
added a commit
to briandevans/hermes-agent
that referenced
this pull request
Apr 30, 2026
…gle_api (NousResearch#14688) macOS ships /usr/bin/python3 = 3.9. When a local-model-backed agent uses the terminal tool to run `python3 scripts/setup.py --check`, it picks up that system interpreter rather than the Hermes venv's 3.11+. On Py3.9 expressions like `Path | None` in a function signature evaluate at def-time and raise `TypeError: unsupported operand type(s) for |: 'type' and 'NoneType'` BEFORE the script's try/except ModuleNotFoundError fallback can run. Agents interpret the crash as "auth broken" and loop through setup. `from __future__ import annotations` (PEP 563) converts every annotation into a string so the PEP 604 unions never fire at import time. Py3.10+ users are unaffected. Files in this PR: - hermes_constants.py — shared infra, imported transitively by the skill scripts; has `Path | None`, `str | None`, `dict | None`, and two module-level `bool | None` annotations. - skills/productivity/google-workspace/scripts/google_api.py — imported by setup.py's `--check` path; carries `str | None` and `dict | None` on `_gws_binary`/`_run_gws`. Note: the equivalent fix for `scripts/setup.py` already landed on main via NousResearch#13038 ("ship google-workspace deps as [google] extra; make setup.py 3.9-parseable"). The test file pins all three files (hermes_constants, setup, google_api) so the regression guard catches future drift on any of them. Tests (tests/skills/test_py39_compat_google_workspace.py): - AST check that each file starts with `from __future__ import annotations` (substring scan would pass false on a docstring mention). - Verifies each file still contains PEP 604 unions — if a future edit strips them all, the pinned list should be reconsidered. - Smoke test that hermes_constants loads and the previously-crashing `get_optional_skills_dir` and `parse_reasoning_effort` return their expected values. - ast.parse(source, feature_version=(3, 9)) on each file — catches any Py3.10+-only syntax beyond PEP 604 (e.g. match/case). Replaces the prior `py_compile`-based check, which under the CI interpreter (3.11) happily compiled 3.10+-only syntax — Copilot's review on NousResearch#15158 flagged this and suggested ast.parse with feature_version. No runtime behavior change on Py3.10+. On Py3.9 the difference is an import-time TypeError becoming a clean module load. Closes NousResearch#14688 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When an MCP server config has
ssl_verify: falseset inconfig.yaml(needed for local dev environments with self-signed certs — ServBay, LocalWP, MAMP, etc.), the value was read from the config but never actually passed to the httpx client.This caused
[SSL: CERTIFICATE_VERIFY_FAILED]errors at Hermes startup, the MCP server silently failing all 3 connection attempts, and the tools never appearing — even though the config looked correct.Fix
Read
ssl_verifyfrom the server config block and pass it as theverifykwarg in both HTTP code paths:mcp >= 1.24.0):httpx.AsyncClient(verify=ssl_verify)mcp < 1.24.0):streamablehttp_client(..., verify=ssl_verify)Default is
True(no change in behavior for existing configs without the key).Testing
Verified against a local ServBay WordPress install (
dev.afocal.com) with a self-signed cert. Before the fix: SSL errors on every startup. After: bothwordpressandelementorMCP servers connect and register their tools successfully.Config example this enables