From fcf5f6317e8e912e7d05bb01a7ba34654ba46ec3 Mon Sep 17 00:00:00 2001
From: Eric Muellenbach <eric.muellenbach@thalesgroup.com>
Date: Fri, 8 Nov 2024 11:05:20 -0800
Subject: [PATCH 1/3] Add support for rustls ignore_client_order

---
 tonic/src/transport/server/service/tls.rs |  2 ++
 tonic/src/transport/server/tls.rs         | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/tonic/src/transport/server/service/tls.rs b/tonic/src/transport/server/service/tls.rs
index 395d5132b..874be03c9 100644
--- a/tonic/src/transport/server/service/tls.rs
+++ b/tonic/src/transport/server/service/tls.rs
@@ -22,6 +22,7 @@ impl TlsAcceptor {
         identity: Identity,
         client_ca_root: Option<Certificate>,
         client_auth_optional: bool,
+        ignore_client_order: bool,
     ) -> Result<Self, crate::BoxError> {
         let builder = ServerConfig::builder();
 
@@ -42,6 +43,7 @@ impl TlsAcceptor {
 
         let (cert, key) = convert_identity_to_pki_types(&identity)?;
         let mut config = builder.with_single_cert(cert, key)?;
+        config.ignore_client_order = ignore_client_order;
 
         config.alpn_protocols.push(ALPN_H2.into());
         Ok(Self {
diff --git a/tonic/src/transport/server/tls.rs b/tonic/src/transport/server/tls.rs
index 331df8d31..fedc866d0 100644
--- a/tonic/src/transport/server/tls.rs
+++ b/tonic/src/transport/server/tls.rs
@@ -9,6 +9,7 @@ pub struct ServerTlsConfig {
     identity: Option<Identity>,
     client_ca_root: Option<Certificate>,
     client_auth_optional: bool,
+    ignore_client_order: bool,
 }
 
 impl fmt::Debug for ServerTlsConfig {
@@ -24,6 +25,7 @@ impl ServerTlsConfig {
             identity: None,
             client_ca_root: None,
             client_auth_optional: false,
+            ignore_client_order: false,
         }
     }
 
@@ -56,11 +58,26 @@ impl ServerTlsConfig {
         }
     }
 
+    /// Sets whether the server's cipher preferences are followed instead of the client's.
+    /// It prevents attacks such as POODLE
+    ///
+    /// This option has effect only if CA certificate is set.
+    ///
+    /// # Default
+    /// By default, this option is set to `false`.
+    pub fn ignore_client_order(self, ignore_client_order: bool) -> Self {
+        ServerTlsConfig {
+            ignore_client_order,
+            ..self
+        }
+    }
+
     pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::BoxError> {
         TlsAcceptor::new(
             self.identity.clone().unwrap(),
             self.client_ca_root.clone(),
             self.client_auth_optional,
+            self.ignore_client_order,
         )
     }
 }

From fb720ea1ee8e833687f24bf606ff5346a275c7e3 Mon Sep 17 00:00:00 2001
From: Eric Muellenbach <eric.muellenbach@thalesgroup.com>
Date: Fri, 8 Nov 2024 11:17:54 -0800
Subject: [PATCH 2/3] Add support for rustls ignore_client_order

---
 tonic/src/transport/server/tls.rs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tonic/src/transport/server/tls.rs b/tonic/src/transport/server/tls.rs
index fedc866d0..c00fe995b 100644
--- a/tonic/src/transport/server/tls.rs
+++ b/tonic/src/transport/server/tls.rs
@@ -61,8 +61,6 @@ impl ServerTlsConfig {
     /// Sets whether the server's cipher preferences are followed instead of the client's.
     /// It prevents attacks such as POODLE
     ///
-    /// This option has effect only if CA certificate is set.
-    ///
     /// # Default
     /// By default, this option is set to `false`.
     pub fn ignore_client_order(self, ignore_client_order: bool) -> Self {

From 1f9b6cf04ea6387c0038df34cd98792b4a40a0b8 Mon Sep 17 00:00:00 2001
From: emuellen <161739836+emuellen@users.noreply.github.com>
Date: Tue, 7 Jan 2025 16:15:27 -0800
Subject: [PATCH 3/3] Remove line indiciating more specific use cases for
 client order disabling

---
 tonic/src/transport/server/tls.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tonic/src/transport/server/tls.rs b/tonic/src/transport/server/tls.rs
index c00fe995b..4ed7d7360 100644
--- a/tonic/src/transport/server/tls.rs
+++ b/tonic/src/transport/server/tls.rs
@@ -59,7 +59,6 @@ impl ServerTlsConfig {
     }
 
     /// Sets whether the server's cipher preferences are followed instead of the client's.
-    /// It prevents attacks such as POODLE
     ///
     /// # Default
     /// By default, this option is set to `false`.