From b4d91956b4092d148f1544c29632f15ae8a922bf Mon Sep 17 00:00:00 2001
From: emuellen <161739836+emuellen@users.noreply.github.com>
Date: Wed, 8 Jan 2025 00:58:11 -0800
Subject: [PATCH] feat(tls): Add support for rustls ignore_client_order (#2042)

* Add support for rustls ignore_client_order

* Add support for rustls ignore_client_order

* Remove line indiciating more specific use cases for client order disabling

---------

Co-authored-by: tottoto <tottotodev@gmail.com>
---
 tonic/src/transport/server/service/tls.rs |  2 ++
 tonic/src/transport/server/tls.rs         | 14 ++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/tonic/src/transport/server/service/tls.rs b/tonic/src/transport/server/service/tls.rs
index 395d5132b..874be03c9 100644
--- a/tonic/src/transport/server/service/tls.rs
+++ b/tonic/src/transport/server/service/tls.rs
@@ -22,6 +22,7 @@ impl TlsAcceptor {
         identity: Identity,
         client_ca_root: Option<Certificate>,
         client_auth_optional: bool,
+        ignore_client_order: bool,
     ) -> Result<Self, crate::BoxError> {
         let builder = ServerConfig::builder();
 
@@ -42,6 +43,7 @@ impl TlsAcceptor {
 
         let (cert, key) = convert_identity_to_pki_types(&identity)?;
         let mut config = builder.with_single_cert(cert, key)?;
+        config.ignore_client_order = ignore_client_order;
 
         config.alpn_protocols.push(ALPN_H2.into());
         Ok(Self {
diff --git a/tonic/src/transport/server/tls.rs b/tonic/src/transport/server/tls.rs
index 331df8d31..4ed7d7360 100644
--- a/tonic/src/transport/server/tls.rs
+++ b/tonic/src/transport/server/tls.rs
@@ -9,6 +9,7 @@ pub struct ServerTlsConfig {
     identity: Option<Identity>,
     client_ca_root: Option<Certificate>,
     client_auth_optional: bool,
+    ignore_client_order: bool,
 }
 
 impl fmt::Debug for ServerTlsConfig {
@@ -24,6 +25,7 @@ impl ServerTlsConfig {
             identity: None,
             client_ca_root: None,
             client_auth_optional: false,
+            ignore_client_order: false,
         }
     }
 
@@ -56,11 +58,23 @@ impl ServerTlsConfig {
         }
     }
 
+    /// Sets whether the server's cipher preferences are followed instead of the client's.
+    ///
+    /// # Default
+    /// By default, this option is set to `false`.
+    pub fn ignore_client_order(self, ignore_client_order: bool) -> Self {
+        ServerTlsConfig {
+            ignore_client_order,
+            ..self
+        }
+    }
+
     pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::BoxError> {
         TlsAcceptor::new(
             self.identity.clone().unwrap(),
             self.client_ca_root.clone(),
             self.client_auth_optional,
+            self.ignore_client_order,
         )
     }
 }