sdk-python icon indicating copy to clipboard operation
sdk-python copied to clipboard

Published 20 hours ago verified publisher icon temporalio

[Feature Request] Support disabling host verification

Open BrianKopp opened this issue 1 year ago • 1 comments

I am unable to use the python SDK to connect to a temporal cluster when using self-generated TLS certificates due to domain name validation. We use generic self-generated TLS certificates as part of our testing process against various temporal clusters. In other SDK's & the CLI, we usually disable domain name validation in order to enable this standardization. E.g. by using the TEMPORAL_TLS_DISABLE_HOST_VERIFICATION environment variable in the CLI or the SimpleSslContextBuilder setUseInsecureTrustManager method in java. In the python SDK, I get the following error:

  File "/usr/local/lib64/python3.11/site-packages/temporalio/client.py", line 164, in connect
    await temporalio.service.ServiceClient.connect(connect_config),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib64/python3.11/site-packages/temporalio/service.py", line 184, in connect
    return await _BridgeServiceClient.connect(config)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib64/python3.11/site-packages/temporalio/service.py", line 711, in connect
    await client._connected_client()
  File "/usr/local/lib64/python3.11/site-packages/temporalio/service.py", line 724, in _connected_client
    self._bridge_client = await temporalio.bridge.client.Client.connect(
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib64/python3.11/site-packages/temporalio/bridge/client.py", line 87, in connect
    await temporalio.bridge.temporal_sdk_bridge.connect_client(
RuntimeError: Failed client connect: Server connection error: tonic::transport::Error(Transport, hyper::Error(Connect, Custom { kind: InvalidData, error: InvalidCertificate(NotValidForName) }))

Describe the solution you'd like

It would be great to be able to disable hostname validation as part of the TlsConfig class. It appears that the client TLS is configured here in the rust SDK. Perhaps a hostname validation disable flag could drive the behavior down here somewhere.

Additional context

I'm happy to help contribute on this if that would be welcome. Thanks!

BrianKopp avatar Jan 19 '24 18:01 BrianKopp

We can look into having a disable host verification option

NotValidForName

So it looks like the cert for the server is for a different name than the host you're connecting to. You should be able to set TlsConfig.domain as an expected domain from the cert the server uses instead of it default to the given host (this is SNI override).

cretz avatar Jan 20 '24 02:01 cretz