wip: fix ciphersuites

rwf2 · Mar 27, 2024 · 27287ea · 27287ea
1 parent eefeaba
commit 27287ea
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/core/lib/src/listener/tls.rs b/core/lib/src/listener/tls.rs
@@ -29,10 +29,7 @@ pub struct TlsBindable<I> {
 
 impl TlsConfig {
     pub(crate) fn server_config(&self) -> Result<ServerConfig, Error> {
-        let provider = rustls::crypto::CryptoProvider {
-            cipher_suites: self.ciphers().map(|c| c.into()).collect(),
-            ..default_crypto_provider()
-        };
+        let provider = default_crypto_provider(Some(self.ciphers().collect()));
 
         #[cfg(feature = "mtls")]
         let verifier = match self.mutual {

diff --git a/core/lib/src/tls/util.rs b/core/lib/src/tls/util.rs
@@ -5,6 +5,7 @@ use rustls::crypto::CryptoProvider;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 
 use crate::tls::error::{Result, Error, KeyError};
+use crate::tls::CipherSuite;
 
 /// Loads certificates from `reader`.
 pub fn load_cert_chain(reader: &mut dyn io::BufRead) -> Result<Vec<CertificateDer<'static>>> {
@@ -34,7 +35,7 @@ pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>>
 
     // Ensure we can use the key.
     let key = keys.remove(0);
-    default_crypto_provider()
+    default_crypto_provider(None)
         .key_provider
         .load_private_key(key.clone_key())
         .map_err(KeyError::Unsupported)?;
@@ -52,10 +53,19 @@ pub fn load_ca_certs(reader: &mut dyn io::BufRead) -> Result<RootCertStore> {
     Ok(roots)
 }
 
-pub fn default_crypto_provider() -> CryptoProvider {
+pub fn default_crypto_provider(ring_cipher_suites: Option<Vec<CipherSuite>>) -> CryptoProvider {
     rustls::crypto::CryptoProvider::get_default()
         .map(|arc| (**arc).clone())
-        .unwrap_or_else(rustls::crypto::ring::default_provider)
+        .unwrap_or_else(|| {
+            if let Some(ring_cipher_suites) = ring_cipher_suites {
+                rustls::crypto::CryptoProvider {
+                    cipher_suites: ring_cipher_suites.into_iter().map(|c| c.into()).collect(),
+                    ..rustls::crypto::ring::default_provider()
+                }
+            } else {
+                rustls::crypto::ring::default_provider()
+            }
+        })
 }
 
 #[cfg(test)]