Skip to content

fix: TLS Hostname Mismatch & Certificate Verification Failure for Nodes #1038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
manishdait wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

fix: TLS Hostname Mismatch & Certificate Verification Failure for Nodes #1038

manishdait wants to merge 4 commits into from
+78 −44

Conversation

@manishdait
Copy link
Contributor

@manishdait manishdait commented Dec 11, 2025

Description:
This PR addresses TLS hostname overrides for certificate validation in the Python SDK, ensuring secure gRPC connections to Hedera nodes.

Changes Made:

  • Added the _node_pem_cert field to store the PEM certificate for the node.
  • Updated _get_channel() to use _fetch_server_certificate_pem() if root_certificates are not provided.
  • Updated _build_channel_options() to return the following options:
options = [
    ("grpc.default_authority", "127.0.0.1"),
    ("grpc.ssl_target_name_override", "127.0.0.1"),
    ("grpc.keepalive_time_ms", 100000),
    ("grpc.keepalive_timeout_ms", 10000),
    ("grpc.keepalive_permit_without_calls", 1)
]
  • Updated unit tests to cover the new certificate handling and channel creation logic.

Related issue(s):

Fixes #1032

Notes for reviewer:

Checklist

  • Documented (Code comments, README, etc.)
  • Tested (unit, integration, etc.)

@exploreriii exploreriii added the p0 Critical, blocking, must fix immediately label Dec 11, 2025
@exploreriii
Copy link
Contributor

exploreriii commented Dec 11, 2025

@Akshat8510 for reference

@exploreriii
Copy link
Contributor

exploreriii commented Dec 11, 2025

@manishdait please rebase

emiliyank
emiliyank approved these changes Dec 11, 2025
View reviewed changes
Copy link
Contributor

@emiliyank emiliyank left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I managed to run the integration tests locally against testnet and with this fix they work fine.

@manishdait manishdait force-pushed the fix/ip-node-tls-failure branch from fbea200 to 91eac51 Compare December 12, 2025 00:40
exploreriii
exploreriii reviewed Dec 12, 2025
View reviewed changes
@manishdait
fix: tls mismatch and certificate verification failure.
ed187bd 
Signed-off-by: Manish Dait <daitmanish88@gmail.com>
@manishdait
chore: update CHANGELOG.md
5439b22 
Signed-off-by: Manish Dait <daitmanish88@gmail.com>
@manishdait
chore: remove semicolon
617ae65 
Signed-off-by: Manish Dait <daitmanish88@gmail.com>
@manishdait
chore: raise error when address_book is none on fetch_certificate
e1c3bb3 
Signed-off-by: Manish Dait <daitmanish88@gmail.com>
@manishdait manishdait force-pushed the fix/ip-node-tls-failure branch from 91eac51 to e1c3bb3 Compare December 13, 2025 14:52
exploreriii
exploreriii reviewed Dec 13, 2025
View reviewed changes
src/hiero_sdk_python/node.py
return None
return [('grpc.ssl_target_name_override', self._authority_override)]
options = [
("grpc.default_authority", "127.0.0.1"),
Copy link
Contributor

@exploreriii exploreriii Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary to set this to loca host ? Can we set a=a to something non existent ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@exploreriii exploreriii exploreriii left review comments

+1 more reviewer

@emiliyank emiliyank emiliyank approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

p0 Critical, blocking, must fix immediately

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TLS Hostname Mismatch & Certificate Verification Failure for Nodes

3 participants

@manishdait @exploreriii @emiliyank