How to disable host name verification

Hi ,

How to disable host name verification when connecting from worker to temporal over ssl .
I didn’t see the option in API .

WorkflowServiceStubs service =
    WorkflowServiceStubs.newInstance(
        WorkflowServiceStubsOptions.newBuilder()
            .setSslContext(SimpleSslContextBuilder.newBuilder(clientCert, clientKey).build())
            .setTarget(targetEndpoint)
            .build());

Thanks
phani

Which server version are you using? Since version 1.9.x host name verification is performed by default if TLS is enabled.
See the --tls_disable_host_verification flag on tctl here on how to disable it.

yes we can disable when from tctl what about worker when communicating to temporal .

SimpleSslContextBuilder has a “setUseInsecureTrustManager” method you can set to true.
Have you tried it to see if that fixes the issue?

@Vitaly do you know if this can be done any other way?

I have TLS hostname verification disabled using the method @tihomir mentioned and it seems to work fine.

    @Bean
    public WorkflowServiceStubs workflowServiceStubs() throws SSLException {
        logger.info("Getting connection to {}",config.getServiceAddress());

        SimpleSslContextBuilder builder = SimpleSslContextBuilder.newBuilder(null,null).setUseInsecureTrustManager(true);

        return WorkflowServiceStubs.newInstance(WorkflowServiceStubsOptions.newBuilder().setSslContext(builder.build()).setTarget(config.getServiceAddress()).build());
    }

Insecure trust manager turns off client side validation, it’s not recommended for production setup as it would allow potential for man in the middle attack.
@arnesenfamily I’m not sure what is the original problem, what type of error are you getting?

Hi ,

Below is the issue i am facing . I used below github sample to make tctl secure with MTLS .

I have tested with below tctl command and everything working as expected .

tctl --tls_ca_path=ca/server-intermediate-ca.pem --tls_cert_path=/internode/cluster-internode.pem --tls_key_path=tls-full/certs/cluster/internode/cluster-internode.key --tls_disable_host_verification=true --tls_server_name=internode.cluster-x.contoso.com cluster get-search-attributes

Now i am trying my worker with ssl enabled with the certs and i am getting below exception

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.

As i am testing in local and i am using the same certificates the example provided assuming this may related to hotname verification .

Thanks
phani

Are you setting server name in your client like you did with tctl?

Hi All,

Thank you for the help . finally below is the worker code to communicate mTLS .

	TlsChannelCredentials.Builder tlsBuilder = TlsChannelCredentials.newBuilder();
	 tlsBuilder
	 .keyManager(new File("/tls/tls-full/certs/cluster/internode/cluster-internode.pem")
			 , new File("/pkcs8_key.pem"));
	 
	 tlsBuilder
	 .trustManager(new File("//tls/tls-full/certs/cluster/ca/server-intermediate-ca.pem"));
     
	  ManagedChannel channel = Grpc
			  .newChannelBuilderForAddress("localhost", Integer.parseInt("7233"), tlsBuilder.build())
			  .overrideAuthority("abc.com")
			  
                .build();

WorkflowServiceStubs service =
WorkflowServiceStubs.newInstance(
WorkflowServiceStubsOptions.newBuilder()
.setChannel(channel)
//.setTarget(“localhost:7233”)
.build());

WorkflowClient client =
WorkflowClient.newInstance(
service, WorkflowClientOptions.newBuilder().setNamespace(“default”).build());
WorkerFactory factory = WorkerFactory.newInstance(client);
factory.start();

Hi sergey,

Is it possible to add temporal web to customization-samples . How do we use temporal web when add mtls for tctl and worker .
I add the below to the docker file but it is failing ,

temporal-web:
image: temporalio/web:latest
ports:
- “8088:8088”
stdin_open: true
tty: true
volumes:
- ${TEMPORAL_LOCAL_CERT_DIR}:${TEMPORAL_TLS_CERTS_DIR}
environment:
- “TEMPORAL_CLI_ADDRESS=temporal:7233”
- “TEMPORAL_CLI_TLS_CA=${TEMPORAL_TLS_CERTS_DIR}/cluster/ca/server-intermediate-ca.pem”
- “TEMPORAL_CLI_TLS_CERT=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.pem”
- “TEMPORAL_CLI_TLS_KEY=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.key”
- “TEMPORAL_CLI_TLS_ENABLE_HOST_VERIFICATION=true”
- “TEMPORAL_CLI_TLS_SERVER_NAME=internode.cluster-x.contoso.com”
depends_on:
- temporal

Hi,

Below configuration worked

temporal-web:
image: temporalio/web
ports:
- “8088:8088”
stdin_open: true
tty: true
volumes:
- ${TEMPORAL_LOCAL_CERT_DIR}:${TEMPORAL_TLS_CERTS_DIR}
environment:
- “TEMPORAL_GRPC_ENDPOINT=temporal:7233”
- “TEMPORAL_CONFIG_PATH=./server/config.yml”
- “TEMPORAL_CLI_ADDRESS=temporal:7233”
- “TEMPORAL_TLS_CA_PATH=${TEMPORAL_TLS_CERTS_DIR}/cluster/ca/server-intermediate-ca.pem”
- “TEMPORAL_TLS_CERT_PATH=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.pem”
- “TEMPORAL_TLS_KEY_PATH=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.key”
- “TEMPORAL_TLS_ENABLE_HOST_VERIFICATION=true”
- “TEMPORAL_TLS_SERVER_NAME=internode.cluster-x.contoso.com”
depends_on:
- temporal

Thanks
phani