Skip to main content

mcp_memory/
tls.rs

1//! Server-side TLS (HTTPS) for the Streamable HTTP transport.
2//!
3//! TLS is opt-in: the HTTP transport only serves over TLS when both a
4//! `--tls-cert` and `--tls-key` are configured, otherwise it stays plaintext
5//! (the default). Backed by rustls with the `ring` crypto provider — no
6//! OpenSSL/aws-lc.
7
8use std::path::Path;
9
10/// Install the rustls `ring` crypto provider as the process default.
11///
12/// Idempotent — only the first install in the process wins. The rustls
13/// `ServerConfig` builder reads this process default, so it must be installed
14/// before any TLS config is built.
15pub fn ensure_crypto_provider() {
16    let _ = rustls::crypto::ring::default_provider().install_default();
17}
18
19/// Build an axum-server rustls config from a PEM certificate chain and private
20/// key. Installs the `ring` provider on first call. The returned `io::Error`
21/// maps onto `MCSError::IoError`.
22pub async fn server_config(
23    cert_path: &Path,
24    key_path: &Path,
25) -> std::io::Result<axum_server::tls_rustls::RustlsConfig> {
26    ensure_crypto_provider();
27    axum_server::tls_rustls::RustlsConfig::from_pem_file(cert_path, key_path).await
28}