We have run sslscan against the grpc frontend and have noticed below ciphers are still supported. However these are vulnerable/weak. We have enabled set of safe ciphers to be used by passing the env
variable GRPC_SSL_CIPHER_SUITES. This hasn’t resolved the problem yet.

GRPC_SSL_CIPHER_SUITES=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305

=========List of vulnerable ciphers============
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 112 bits TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.2 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA

Can you please help us to get rid of this ciphers.

Thanks for reporting, whats the server version you tested against?

We are running against latest 1.18.4 version.

Just to update, we have opened GRPC_SSL_CIPHER_SUITES not respected · Issue #3590 · temporalio/temporal · GitHub
Feel free to add more information there if you want. Thanks.

Thank you Tihomir, any idea on when can we expect this issue fixed. I suppose there will be a new release version.