Skip to content

[Bug] TLS server name override not respected #1681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dan8f opened this issue Apr 17, 2025 · 5 comments
Open

[Bug] TLS server name override not respected #1681

dan8f opened this issue Apr 17, 2025 · 5 comments
Labels
bug Something isn't working

Comments

@dan8f
Copy link

dan8f commented Apr 17, 2025
edited
Loading

What are you really trying to do?

Setting a TLS server name override in client connection connect

Describe the bug

When setting a server name override in client connection, the TLS server name is mishandled by grpc-js library and ends up overridden with the address provided

Minimal Reproduction

  import { Connection, Client } from '@temporalio/client';

  const connection = await Connection.connect(
    {
      address: '<address>:7233',

      tls: {
        serverNameOverride: '<override>',
      },

      apiKey,

      metadata
    })

Environment/Versions

TS SDK 1.11.7

Additional context

grpc-js servername override
@dan8f dan8f added the bug Something isn't working label Apr 17, 2025
@dan8f dan8f changed the title [Bug] FILL_TITLE_HERE [Bug] TLS server name override not respected Apr 17, 2025
@kazaz-lumida
Copy link

Yes please :) This is blocking us from taking our app to production where we only want to use PrivateLink and not go through the internet

@kazaz-lumida
Copy link

Can anyone please let us know what is the status here?
This is a MAJOR security issue from our side and a core functionality of the SDK.
To be honest I'm surprised it was not addressed right away given its importance and what seems to be an easy fix.

@mjameswh
Copy link
Contributor

Very sorry for the delay. I was honestly under the impression that our support team had already provided you a suitable workaround through our Zendesk portal, but this might have been a different conversation. My bad.

The current workaround is to add this dependency to your own package.json:

"@grpc/grpc-js": "1.12.6"

This will get Client connections through Private Link working properly.

@kazaz-lumida
Copy link

Thank you @mjameswh , any estimation on getting a real fix?
Fixing the version also means I'm not going to get any new security updates on such critical package which is a security concern on its own

@mjameswh
Copy link
Contributor

any estimation on getting a real fix?

There are actually two solutions coming up:

  1. grpc-js: Fix ability to set SNI with ssl_target_name_override option grpc/grpc-node#2956;
  2. NativeConnection powered Client #1699 (to be released in TS SDK 1.12.0).

Any of these two will resolve the problem you are facing.

I expect both to be available in the next few days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mjameswh @dan8f @kazaz-lumida