feat(tls): Add support for rustls ignore_client_order (#2042)

* Add support for rustls ignore_client_order * Add support for rustls ignore_client_order * Remove line indiciating more specific use cases for client order disabling --------- Co-authored-by: tottoto <[email protected]>
hyperium · Jan 8, 2025 · b4d9195 · b4d9195
1 parent 79a06cc
commit b4d9195
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/tonic/src/transport/server/service/tls.rs b/tonic/src/transport/server/service/tls.rs
@@ -22,6 +22,7 @@ impl TlsAcceptor {
         identity: Identity,
         client_ca_root: Option<Certificate>,
         client_auth_optional: bool,
+        ignore_client_order: bool,
     ) -> Result<Self, crate::BoxError> {
         let builder = ServerConfig::builder();
 
@@ -42,6 +43,7 @@ impl TlsAcceptor {
 
         let (cert, key) = convert_identity_to_pki_types(&identity)?;
         let mut config = builder.with_single_cert(cert, key)?;
+        config.ignore_client_order = ignore_client_order;
 
         config.alpn_protocols.push(ALPN_H2.into());
         Ok(Self {

diff --git a/tonic/src/transport/server/tls.rs b/tonic/src/transport/server/tls.rs
@@ -9,6 +9,7 @@ pub struct ServerTlsConfig {
     identity: Option<Identity>,
     client_ca_root: Option<Certificate>,
     client_auth_optional: bool,
+    ignore_client_order: bool,
 }
 
 impl fmt::Debug for ServerTlsConfig {
@@ -24,6 +25,7 @@ impl ServerTlsConfig {
             identity: None,
             client_ca_root: None,
             client_auth_optional: false,
+            ignore_client_order: false,
         }
     }
 
@@ -56,11 +58,23 @@ impl ServerTlsConfig {
         }
     }
 
+    /// Sets whether the server's cipher preferences are followed instead of the client's.
+    ///
+    /// # Default
+    /// By default, this option is set to `false`.
+    pub fn ignore_client_order(self, ignore_client_order: bool) -> Self {
+        ServerTlsConfig {
+            ignore_client_order,
+            ..self
+        }
+    }
+
     pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::BoxError> {
         TlsAcceptor::new(
             self.identity.clone().unwrap(),
             self.client_ca_root.clone(),
             self.client_auth_optional,
+            self.ignore_client_order,
         )
     }
 }