fix(stackable-webhook): Explicitly set the TLS provider for the ServerConfig, and enable "safe" protocols (#778)

NickLarsenNZ · web-flow · commit f2f1b6bf52ea · 2024-05-24T07:50:44.000Z
* fix(stackable-webhook): rustls now requires a global provider to be set, or explicity pass in via the server/client config.

Normally this would be set by the application, and not in a library, however this library is to remove so much boiler plate from our applications.

* docs(stackable-webhook): update changelog

* chore(stackable-webhook): explicitly set accepted TLS protocol versions
diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md
@@ -21,11 +21,16 @@ All notable changes to this project will be documented in this file.
 - Bump GitHub workflow actions ([#772]).
 - Revert `zeroize` version bump ([#772]).
 
+### Fixed
+
+- Explicitly set the TLS provider for the ServerConfig, and enable "safe" protocols ([#778]).
+
 [#758]: https://github.com/stackabletech/operator-rs/pull/758
 [#762]: https://github.com/stackabletech/operator-rs/pull/762
 [#767]: https://github.com/stackabletech/operator-rs/pull/767
 [#769]: https://github.com/stackabletech/operator-rs/pull/769
 [#772]: https://github.com/stackabletech/operator-rs/pull/772
+[#778]: https://github.com/stackabletech/operator-rs/pull/778
 [#782]: https://github.com/stackabletech/operator-rs/pull/782
 
 ## [0.2.0] - 2024-03-26
diff --git a/crates/stackable-webhook/src/tls.rs b/crates/stackable-webhook/src/tls.rs
@@ -10,7 +10,14 @@ use snafu::{ResultExt, Snafu};
 use stackable_certs::{ca::CertificateAuthority, keys::rsa, CertificatePairError};
 use stackable_operator::time::Duration;
 use tokio::net::TcpListener;
-use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
+use tokio_rustls::{
+    rustls::{
+        crypto::aws_lc_rs::default_provider,
+        version::{TLS12, TLS13},
+        ServerConfig,
+    },
+    TlsAcceptor,
+};
 use tower::Service;
 use tracing::{instrument, trace, warn};
 
@@ -44,6 +51,9 @@ pub enum Error {
     EncodePrivateKeyDer {
         source: CertificatePairError<rsa::Error>,
     },
+
+    #[snafu(display("failed to set safe TLS protocol versions"))]
+    SetSafeTlsProtocolVersions { source: tokio_rustls::rustls::Error },
 }
 
 /// Custom implementation of [`std::cmp::PartialEq`] because some inner types
@@ -97,7 +107,10 @@ impl TlsServer {
             .private_key_der()
             .context(EncodePrivateKeyDerSnafu)?;
 
-        let mut config = ServerConfig::builder()
+        let tls_provider = default_provider();
+        let mut config = ServerConfig::builder_with_provider(tls_provider.into())
+            .with_protocol_versions(&[&TLS12, &TLS13])
+            .context(SetSafeTlsProtocolVersionsSnafu)?
             .with_no_client_auth()
             .with_single_cert(vec![certificate_der], private_key_der)
             .context(InvalidTlsPrivateKeySnafu)?;
