feat(tls): Add support for rustls ignore_client_order (#2042)

emuellen · tottoto · web-flow · commit b4d91956b409 · 2025-01-08T08:58:11.000Z
* Add support for rustls ignore_client_order

* Add support for rustls ignore_client_order

* Remove line indiciating more specific use cases for client order disabling

---------

Co-authored-by: tottoto &lt;tottotodev@gmail.com&gt;
diff --git a/tonic/src/transport/server/service/tls.rs b/tonic/src/transport/server/service/tls.rs
@@ -22,6 +22,7 @@ impl TlsAcceptor {
         identity: Identity,
         client_ca_root: Option<Certificate>,
         client_auth_optional: bool,
+        ignore_client_order: bool,
     ) -> Result<Self, crate::BoxError> {
         let builder = ServerConfig::builder();
 
@@ -42,6 +43,7 @@ impl TlsAcceptor {
 
         let (cert, key) = convert_identity_to_pki_types(&identity)?;
         let mut config = builder.with_single_cert(cert, key)?;
+        config.ignore_client_order = ignore_client_order;
 
         config.alpn_protocols.push(ALPN_H2.into());
         Ok(Self {
diff --git a/tonic/src/transport/server/tls.rs b/tonic/src/transport/server/tls.rs
@@ -9,6 +9,7 @@ pub struct ServerTlsConfig {
     identity: Option<Identity>,
     client_ca_root: Option<Certificate>,
     client_auth_optional: bool,
+    ignore_client_order: bool,
 }
 
 impl fmt::Debug for ServerTlsConfig {
@@ -24,6 +25,7 @@ impl ServerTlsConfig {
             identity: None,
             client_ca_root: None,
             client_auth_optional: false,
+            ignore_client_order: false,
         }
     }
 
@@ -56,11 +58,23 @@ impl ServerTlsConfig {
         }
     }
 
+    /// Sets whether the server's cipher preferences are followed instead of the client's.
+    ///
+    /// # Default
+    /// By default, this option is set to `false`.
+    pub fn ignore_client_order(self, ignore_client_order: bool) -> Self {
+        ServerTlsConfig {
+            ignore_client_order,
+            ..self
+        }
+    }
+
     pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::BoxError> {
         TlsAcceptor::new(
             self.identity.clone().unwrap(),
             self.client_ca_root.clone(),
             self.client_auth_optional,
+            self.ignore_client_order,
         )
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ pub struct ServerTlsConfig {`
`9`	`9`	`identity: Option<Identity>,`
`10`	`10`	`client_ca_root: Option<Certificate>,`
`11`	`11`	`client_auth_optional: bool,`
	`12`	`+ ignore_client_order: bool,`
`12`	`13`	`}`
`13`	`14`
`14`	`15`	`impl fmt::Debug for ServerTlsConfig {`
`@@ -24,6 +25,7 @@ impl ServerTlsConfig {`
`24`	`25`	`identity: None,`
`25`	`26`	`client_ca_root: None,`
`26`	`27`	`client_auth_optional: false,`
	`28`	`+ ignore_client_order: false,`
`27`	`29`	`}`
`28`	`30`	`}`
`29`	`31`
`@@ -56,11 +58,23 @@ impl ServerTlsConfig {`
`56`	`58`	`}`
`57`	`59`	`}`
`58`	`60`
	`61`	`+ /// Sets whether the server's cipher preferences are followed instead of the client's.`
	`62`	`+ ///`
	`63`	`+ /// # Default`
	`64`	+ /// By default, this option is set to `false`.
	`65`	`+ pub fn ignore_client_order(self, ignore_client_order: bool) -> Self {`
	`66`	`+ ServerTlsConfig {`
	`67`	`+ ignore_client_order,`
	`68`	`+ ..self`
	`69`	`+ }`
	`70`	`+ }`
	`71`	`+`
`59`	`72`	`pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::BoxError> {`
`60`	`73`	`TlsAcceptor::new(`
`61`	`74`	`self.identity.clone().unwrap(),`
`62`	`75`	`self.client_ca_root.clone(),`
`63`	`76`	`self.client_auth_optional,`
	`77`	`+ self.ignore_client_order,`
`64`	`78`	`)`
`65`	`79`	`}`
`66`	`80`	`}`