From ab05df5123d3bd3a1c1c45feb4c72bbf7f8cee78 Mon Sep 17 00:00:00 2001
From: Alessandro Bono <alessandro.bono369@gmail.com>
Date: Tue, 17 Aug 2021 17:21:21 +0200
Subject: [PATCH] server,tls: Make TLS ciphersuites configurable

Let the users specify what ciphersuites to use.
---
 src/server.rs |  9 +++++++++
 src/tls.rs    | 13 +++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/server.rs b/src/server.rs
index ef0103d13..1dfc0cbc6 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -12,6 +12,8 @@ use hyper::server::conn::AddrIncoming;
 use hyper::service::{make_service_fn, service_fn};
 use hyper::Server as HyperServer;
 use tokio::io::{AsyncRead, AsyncWrite};
+#[cfg(feature = "tls")]
+use tokio_rustls::rustls::SupportedCipherSuite;
 use tracing::Instrument;
 
 use crate::filter::Filter;
@@ -490,6 +492,13 @@ where
         self.with_tls(|tls| tls.ocsp_resp(resp.as_ref()))
     }
 
+    /// Specify the ciphersuites to use in preference order.
+    ///
+    /// *This function requires the `"tls"` feature.*
+    pub fn ciphersuites(self, ciphersuites: impl AsRef<[&'static SupportedCipherSuite]>) -> Self {
+        self.with_tls(|tls| tls.ciphersuites(ciphersuites.as_ref()))
+    }
+
     fn with_tls<Func>(self, func: Func) -> Self
     where
         Func: FnOnce(TlsConfigBuilder) -> TlsConfigBuilder,
diff --git a/src/tls.rs b/src/tls.rs
index 44cb7c13c..8feade641 100644
--- a/src/tls.rs
+++ b/src/tls.rs
@@ -15,7 +15,7 @@ use hyper::server::conn::{AddrIncoming, AddrStream};
 use crate::transport::Transport;
 use tokio_rustls::rustls::{
     AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth,
-    RootCertStore, ServerConfig, TLSError,
+    RootCertStore, ServerConfig, SupportedCipherSuite, TLSError, ALL_CIPHERSUITES,
 };
 
 /// Represents errors that can occur building the TlsConfig
@@ -65,6 +65,7 @@ pub(crate) struct TlsConfigBuilder {
     key: Box<dyn Read + Send + Sync>,
     client_auth: TlsClientAuth,
     ocsp_resp: Vec<u8>,
+    ciphersuites: Vec<&'static SupportedCipherSuite>,
 }
 
 impl std::fmt::Debug for TlsConfigBuilder {
@@ -81,6 +82,7 @@ impl TlsConfigBuilder {
             cert: Box::new(io::empty()),
             client_auth: TlsClientAuth::Off,
             ocsp_resp: Vec::new(),
+            ciphersuites: ALL_CIPHERSUITES.to_vec(),
         }
     }
 
@@ -166,6 +168,12 @@ impl TlsConfigBuilder {
         self
     }
 
+    /// sets the ciphersuites in preference order
+    pub(crate) fn ciphersuites(mut self, ciphersuites: &[&'static SupportedCipherSuite]) -> Self {
+        self.ciphersuites = Vec::from(ciphersuites);
+        self
+    }
+
     pub(crate) fn build(mut self) -> Result<ServerConfig, TlsConfigError> {
         let mut cert_rdr = BufReader::new(self.cert);
         let cert = tokio_rustls::rustls::internal::pemfile::certs(&mut cert_rdr)
@@ -225,7 +233,8 @@ impl TlsConfigBuilder {
             }
         };
 
-        let mut config = ServerConfig::new(client_auth);
+        let ciphersuites = self.ciphersuites.as_ref();
+        let mut config = ServerConfig::with_ciphersuites(client_auth, ciphersuites);
         config
             .set_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
             .map_err(|err| TlsConfigError::InvalidKey(err))?;