genai-toolbox icon indicating copy to clipboard operation
genai-toolbox copied to clipboard
verified publisher icon googleapis

Support for disabling SSL verification for Trino

Open askurat opened this issue 3 months ago • 5 comments

Prerequisites

What are you trying to do that currently feels hard or impossible?

Similar to what was done for http, can there be a flag added to disable ssl verification for Trino?

Or is there a way to include trust store certificate.

Suggested Solution(s)

No response

Alternatives Considered

No response

Additional Details

No response

askurat avatar Nov 08 '25 16:11 askurat

If I understand correctly, Toolbox currently verifies SSL certs when connecting to Trino, but there’s no way to control that behavior. You’re asking for an option to disable SSL verification or include a trust store certificate (similar to what exists for the HTTP tools).

A couple of thoughts and questions:

  • Are you using a self-signed or internal CA for Trino?

  • Would something like this in the YAML solve your case?

    ssl_verify: true # default ssl_ca_file: /path/to/ca.pem # optional custom CA/trust store // or, for local dev only // ssl_verify: false

I think adding both makes sense for flexibility, but it’d be better to prioritize the ssl_ca_file option — that way users can still connect securely instead of fully disabling SSL. The ssl_verify: false flag could still be there for quick local setups or testing.

Under the hood this would just map to the Trino client’s verify argument, so implementation should be straightforward if maintainers agree.

sudiptap avatar Nov 09 '25 02:11 sudiptap

Yes, for instance when connecting through dbeaver I use something like: jdbc:trino//{host}:{port}/{catalog}/{table}?SSL=true&SSLVerification=NONE

SSL is enabled but verification is disabled. Having the ability to disable verification and be able to set a trust store jks and password would give more flexability.

askurat avatar Nov 09 '25 04:11 askurat

I was wondering whether we should should add fields that could act as string substitutions for these params.

Eg.

  • ssl
  • sslverification

The values of these would directly substitute the values in the connection string as mentioned here:

jdbc:trino//{host}:{port}/{catalog}/{table}?SSL=true&SSLVerification=NONE

This should be more intuitive to the developers. We should add warnings for insecure connections. Do you see any potential issues with this? Any other thoughts?

twishabansal avatar Nov 11 '25 06:11 twishabansal

This would be great.

askurat avatar Nov 14 '25 16:11 askurat

@askurat We'll be happy to take in contributions for this issue!

twishabansal avatar Nov 17 '25 05:11 twishabansal

I also encountered the same problem. My Trino uses https, which uses an IP address and a self-signed certificate, so I need to cancel the certificate verification. I'm also looking forward to this feature. May I ask when it will be resolved?

devops avatar Dec 08 '25 06:12 devops

I also discovered a problem with parameter invocation。

tools: search_orders_by_region: kind: trino-sql source: my-trino-instance statement: | SELECT * FROM hive.sales.orders WHERE region = $1 AND order_date >= DATE($2) LIMIT 10 description: | Use this tool to get information for orders in a specific region. parameters: - name: region type: string description: Region unique identifier - name: order_date type: string description: Order date in YYYY-MM-DD format

Using the above example will result in an error: unable to execute query: trino: query failed (400 Bad Request): \"Invalid X-Trino-Prepared-Statement header: line 7:16: mismatched input '$'. Expecting: 'ALL', 'ANY', 'SOME', <expression>\ Change $1 to? Then it can be used normally

devops avatar Dec 08 '25 09:12 devops

Hi, this feature is now supported with #2155, please check it out! :) It will be included in our next release. Thank you!

Yuan325 avatar Jan 07 '26 21:01 Yuan325