From 27287ead40976d44667ba7cff8de147b13787b5a Mon Sep 17 00:00:00 2001
From: Abdullah Alyan <AbdullahAlyan@yahoo.com>
Date: Wed, 27 Mar 2024 12:12:15 +0300
Subject: [PATCH] wip: fix ciphersuites

---
 core/lib/src/listener/tls.rs |  5 +----
 core/lib/src/tls/util.rs     | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/core/lib/src/listener/tls.rs b/core/lib/src/listener/tls.rs
index c413c50401..0b7355a7e7 100644
--- a/core/lib/src/listener/tls.rs
+++ b/core/lib/src/listener/tls.rs
@@ -29,10 +29,7 @@ pub struct TlsBindable<I> {
 
 impl TlsConfig {
     pub(crate) fn server_config(&self) -> Result<ServerConfig, Error> {
-        let provider = rustls::crypto::CryptoProvider {
-            cipher_suites: self.ciphers().map(|c| c.into()).collect(),
-            ..default_crypto_provider()
-        };
+        let provider = default_crypto_provider(Some(self.ciphers().collect()));
 
         #[cfg(feature = "mtls")]
         let verifier = match self.mutual {
diff --git a/core/lib/src/tls/util.rs b/core/lib/src/tls/util.rs
index b21298215a..a519944064 100644
--- a/core/lib/src/tls/util.rs
+++ b/core/lib/src/tls/util.rs
@@ -5,6 +5,7 @@ use rustls::crypto::CryptoProvider;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 
 use crate::tls::error::{Result, Error, KeyError};
+use crate::tls::CipherSuite;
 
 /// Loads certificates from `reader`.
 pub fn load_cert_chain(reader: &mut dyn io::BufRead) -> Result<Vec<CertificateDer<'static>>> {
@@ -34,7 +35,7 @@ pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>>
 
     // Ensure we can use the key.
     let key = keys.remove(0);
-    default_crypto_provider()
+    default_crypto_provider(None)
         .key_provider
         .load_private_key(key.clone_key())
         .map_err(KeyError::Unsupported)?;
@@ -52,10 +53,19 @@ pub fn load_ca_certs(reader: &mut dyn io::BufRead) -> Result<RootCertStore> {
     Ok(roots)
 }
 
-pub fn default_crypto_provider() -> CryptoProvider {
+pub fn default_crypto_provider(ring_cipher_suites: Option<Vec<CipherSuite>>) -> CryptoProvider {
     rustls::crypto::CryptoProvider::get_default()
         .map(|arc| (**arc).clone())
-        .unwrap_or_else(rustls::crypto::ring::default_provider)
+        .unwrap_or_else(|| {
+            if let Some(ring_cipher_suites) = ring_cipher_suites {
+                rustls::crypto::CryptoProvider {
+                    cipher_suites: ring_cipher_suites.into_iter().map(|c| c.into()).collect(),
+                    ..rustls::crypto::ring::default_provider()
+                }
+            } else {
+                rustls::crypto::ring::default_provider()
+            }
+        })
 }
 
 #[cfg(test)]