From a4317025a9533be6eac39831cb3aebb5e1456c9f Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Tue, 7 May 2024 16:22:44 +0200
Subject: [PATCH 1/3] fix(stackable-webhook): rustls now requires a global
 provider to be set, or explicity pass in via the server/client config.

Normally this would be set by the application, and not in a library, however this library is to remove so much boiler plate from our applications.
---
 crates/stackable-webhook/src/tls.rs | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/crates/stackable-webhook/src/tls.rs b/crates/stackable-webhook/src/tls.rs
index b56282549..0df1b625d 100644
--- a/crates/stackable-webhook/src/tls.rs
+++ b/crates/stackable-webhook/src/tls.rs
@@ -10,7 +10,10 @@ use snafu::{ResultExt, Snafu};
 use stackable_certs::{ca::CertificateAuthority, keys::rsa, CertificatePairError};
 use stackable_operator::time::Duration;
 use tokio::net::TcpListener;
-use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
+use tokio_rustls::{
+    rustls::{crypto::aws_lc_rs::default_provider, ServerConfig},
+    TlsAcceptor,
+};
 use tower::Service;
 use tracing::{instrument, trace, warn};
 
@@ -44,6 +47,9 @@ pub enum Error {
     EncodePrivateKeyDer {
         source: CertificatePairError<rsa::Error>,
     },
+
+    #[snafu(display("failed to set safe TLS protocol versions"))]
+    SetSafeTlsProtocolVersions { source: tokio_rustls::rustls::Error },
 }
 
 /// Custom implementation of [`std::cmp::PartialEq`] because some inner types
@@ -97,7 +103,10 @@ impl TlsServer {
             .private_key_der()
             .context(EncodePrivateKeyDerSnafu)?;
 
-        let mut config = ServerConfig::builder()
+        let tls_provider = default_provider();
+        let mut config = ServerConfig::builder_with_provider(tls_provider.into())
+            .with_safe_default_protocol_versions()
+            .context(SetSafeTlsProtocolVersionsSnafu)?
             .with_no_client_auth()
             .with_single_cert(vec![certificate_der], private_key_der)
             .context(InvalidTlsPrivateKeySnafu)?;

From 9a38bceb132e78fd8e016990976070bb0512c38f Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Tue, 7 May 2024 16:26:37 +0200
Subject: [PATCH 2/3] docs(stackable-webhook): update changelog

---
 crates/stackable-webhook/CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md
index e360e59d2..cf5f58c3b 100644
--- a/crates/stackable-webhook/CHANGELOG.md
+++ b/crates/stackable-webhook/CHANGELOG.md
@@ -18,11 +18,16 @@ All notable changes to this project will be documented in this file.
 - Bump GitHub workflow actions ([#772]).
 - Revert `zeroize` version bump ([#772]).
 
+### Fixed
+
+- Explicitly set the TLS provider for the ServerConfig, and enable "safe" protocols ([#778]).
+
 [#758]: https://github.com/stackabletech/operator-rs/pull/758
 [#762]: https://github.com/stackabletech/operator-rs/pull/762
 [#767]: https://github.com/stackabletech/operator-rs/pull/767
 [#769]: https://github.com/stackabletech/operator-rs/pull/769
 [#772]: https://github.com/stackabletech/operator-rs/pull/772
+[#778]: https://github.com/stackabletech/operator-rs/pull/778
 
 ## [0.2.0] - 2024-03-26
 

From c3122c93e55bd0d02efed12469f38acb93f682b6 Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Fri, 24 May 2024 08:38:55 +0200
Subject: [PATCH 3/3] chore(stackable-webhook): explicitly set accepted TLS
 protocol versions

---
 crates/stackable-webhook/src/tls.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/crates/stackable-webhook/src/tls.rs b/crates/stackable-webhook/src/tls.rs
index 0df1b625d..32055f4ef 100644
--- a/crates/stackable-webhook/src/tls.rs
+++ b/crates/stackable-webhook/src/tls.rs
@@ -11,7 +11,11 @@ use stackable_certs::{ca::CertificateAuthority, keys::rsa, CertificatePairError}
 use stackable_operator::time::Duration;
 use tokio::net::TcpListener;
 use tokio_rustls::{
-    rustls::{crypto::aws_lc_rs::default_provider, ServerConfig},
+    rustls::{
+        crypto::aws_lc_rs::default_provider,
+        version::{TLS12, TLS13},
+        ServerConfig,
+    },
     TlsAcceptor,
 };
 use tower::Service;
@@ -105,7 +109,7 @@ impl TlsServer {
 
         let tls_provider = default_provider();
         let mut config = ServerConfig::builder_with_provider(tls_provider.into())
-            .with_safe_default_protocol_versions()
+            .with_protocol_versions(&[&TLS12, &TLS13])
             .context(SetSafeTlsProtocolVersionsSnafu)?
             .with_no_client_auth()
             .with_single_cert(vec![certificate_der], private_key_der)