Enable TLS for membership port traffic and worker grpc traffic

Hey there!

We followed the example in samples-server/tls/tls-simple at main · temporalio/samples-server · GitHub and the temporal docs but we could not find a way to enable tls for the traffic on the membership port and the worker grpc port. Only the other services seems to be working with mTLS.

On my example I have

    worker:
        rpc:
            grpcPort: 7239
            membershipPort: 6939

and there is no TLS on such ports

openssl s_client -showcerts -connect localhost:7239
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
openssl s_client -showcerts -connect localhost:6939
CONNECTED(00000003)

I’ve tried to look into the docs and the codebase but I could not find any place where TLS can be enabled there.

Can anybody clarify is it’s possible to do it? If not, what’s the unencrypted traffic there? Is it just encoded in some predictable way? Is there, potentially, sentitive data flowing?

The worker doesn’t listen on a grpc port.

You can enable TLS for membership with dynamic config system.enableRingpopTLS (it should probably have been a static config but is in dynamic config). Just set it to true, it’ll use the configured internode certs.

Hi @dnr

First of all, thank you very much for your reply! Could you also clarify what’s the usage of the port 7239 for the worker service? Is it possible to enable TLS also on that port? The services for my yaml config is the following for example

services:
    frontend:
        rpc:
            grpcPort: 7233
            membershipPort: 6933
            bindOnIP: 172.25.0.3
            httpPort: 7243

    matching:
        rpc:
            grpcPort: 7235
            membershipPort: 6935
            bindOnIP: 172.25.0.3

    history:
        rpc:
            grpcPort: 7234
            membershipPort: 6934
            bindOnIP: 172.25.0.3

    worker:
        rpc:
            grpcPort: 7239
            membershipPort: 6939
            bindOnIP: 172.25.0.3

Thanks!

There is nothing listening on that port. It’s only there because the membership stuff is written in a way that requires each participant have an “application port”. But it’s not used for anything.

1 Like