Skip to content

Commit 718735c

Browse files
rhinocaprdimitrov
andauthored
docs(authentication): note OpenSSL 3.x requirement for Ed25519 (#1253)
## Summary The DNS and HTTP authentication guides currently run `openssl genpkey -algorithm Ed25519 -out key.pem` without caveat. macOS ships LibreSSL as the system `openssl` binary, and LibreSSL doesn't implement Ed25519 in `genpkey` — so the very first command in the Ed25519 codepath errors out with: ``` Algorithm Ed25519 not found ``` A first-time integrator on macOS hits this immediately, with no path to a fix from the docs alone. Cost me ~5 minutes earlier today before I figured out I needed `brew install openssl@3` and an explicit binary path. This PR adds a `<Note>` callout to the **DNS Authentication** section right above the Ed25519 codepath, and a shorter cross-reference Note in the **HTTP Authentication** section since the same `openssl genpkey -algorithm Ed25519` commands appear there. The ECDSA P-384 codepath works on LibreSSL, so it's untouched. ## Test plan - [x] Verified locally that `/opt/homebrew/opt/openssl@3/bin/openssl genpkey -algorithm Ed25519 -out key.pem` works on macOS Darwin 25.4.0 - [x] Verified the system `/usr/bin/openssl genpkey -algorithm Ed25519 -out key.pem` fails with `Algorithm Ed25519 not found` on the same machine (LibreSSL 3.3.6) - [x] Verified the published `ai.ravenmcp/raven-mcp` flow end-to-end with the OpenSSL 3 binary - [ ] Markdown rendering of the `<Note>` callouts — relying on the existing `<Note>` pattern in this file (line 6) to validate the syntax Co-authored-by: Radoslav Dimitrov <radoslav@stacklok.com>
1 parent 321337c commit 718735c

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

docs/modelcontextprotocol-io/authentication.mdx

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,10 @@ DNS authentication is a domain-based authentication method that relies on a DNS
5959

6060
To perform DNS authentication using the `mcp-publisher` CLI tool, run the following commands in your server project directory to generate a TXT record based on a public/private key pair:
6161

62+
<Note>
63+
The Ed25519 codepath requires **OpenSSL 3.0 or later**. macOS ships with LibreSSL by default (the system `openssl` binary), which does not implement Ed25519 in `genpkey` and fails with `Algorithm Ed25519 not found`. On macOS, install OpenSSL 3 (`brew install openssl@3`) and invoke it explicitly — for example, replace `openssl` with `/opt/homebrew/opt/openssl@3/bin/openssl` (Apple Silicon) or `/usr/local/opt/openssl@3/bin/openssl` (Intel) in the commands below. The ECDSA P-384 codepath works on LibreSSL.
64+
</Note>
65+
6266
<CodeGroup>
6367

6468
```bash Ed25519
@@ -185,6 +189,10 @@ HTTP authentication is a domain-based authentication method that relies on a `/.
185189

186190
To perform HTTP authentication using the `mcp-publisher` CLI tool, run the following commands in your server project directory to generate an `mcp-registry-auth` file based on a public/private key pair:
187191

192+
<Note>
193+
As with DNS authentication, the Ed25519 codepath requires **OpenSSL 3.0 or later**. macOS's system LibreSSL does not support Ed25519 in `genpkey`. See the note in the [DNS Authentication](#dns-authentication) section for the macOS workaround.
194+
</Note>
195+
188196
<CodeGroup>
189197

190198
```bash Ed25519

0 commit comments

Comments
 (0)