Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Support disabling host verification #463

Open
BrianKopp opened this issue Jan 19, 2024 · 1 comment
Open

[Feature Request] Support disabling host verification #463

BrianKopp opened this issue Jan 19, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@BrianKopp
Copy link

I am unable to use the python SDK to connect to a temporal cluster when using self-generated TLS certificates due to domain name validation. We use generic self-generated TLS certificates as part of our testing process against various temporal clusters. In other SDK's & the CLI, we usually disable domain name validation in order to enable this standardization. E.g. by using the TEMPORAL_TLS_DISABLE_HOST_VERIFICATION environment variable in the CLI or the SimpleSslContextBuilder setUseInsecureTrustManager method in java. In the python SDK, I get the following error:

  File "/usr/local/lib64/python3.11/site-packages/temporalio/client.py", line 164, in connect
    await temporalio.service.ServiceClient.connect(connect_config),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib64/python3.11/site-packages/temporalio/service.py", line 184, in connect
    return await _BridgeServiceClient.connect(config)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib64/python3.11/site-packages/temporalio/service.py", line 711, in connect
    await client._connected_client()
  File "/usr/local/lib64/python3.11/site-packages/temporalio/service.py", line 724, in _connected_client
    self._bridge_client = await temporalio.bridge.client.Client.connect(
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib64/python3.11/site-packages/temporalio/bridge/client.py", line 87, in connect
    await temporalio.bridge.temporal_sdk_bridge.connect_client(
RuntimeError: Failed client connect: Server connection error: tonic::transport::Error(Transport, hyper::Error(Connect, Custom { kind: InvalidData, error: InvalidCertificate(NotValidForName) }))

Describe the solution you'd like

It would be great to be able to disable hostname validation as part of the TlsConfig class. It appears that the client TLS is configured here in the rust SDK. Perhaps a hostname validation disable flag could drive the behavior down here somewhere.

Additional context

I'm happy to help contribute on this if that would be welcome. Thanks!
@BrianKopp BrianKopp added the enhancement New feature or request label Jan 19, 2024
@cretz
Copy link
Member

cretz commented Jan 20, 2024

We can look into having a disable host verification option

NotValidForName

So it looks like the cert for the server is for a different name than the host you're connecting to. You should be able to set TlsConfig.domain as an expected domain from the cert the server uses instead of it default to the given host (this is SNI override).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cretz @BrianKopp