Add feature flag rustls-tls for custom ca feature

Cargo.toml

@@ -22,14 +22,13 @@ exclude = [
 [features]
 # By default we use rustls for TLS
 default = ["rustls-tls"]
-rustls-tls = ["ureq/tls"]
+rustls-tls = ["ureq/tls", "rustls-pemfile", "rustls"]
 # If this feature is enabled we instead use the native TLS implementation for the
 # target platform
 native-tls = [
  "ureq/native-tls",
  "native-tls-crate/vendored",
  "rustls-pemfile",
- "rustls",
 ]
 
 [dependencies]

src/ctx.rs

@@ -62,6 +62,40 @@ impl Ctx {
  builder = builder.tls_connector(std::sync::Arc::new(tls_connector));
  }
 
+ #[cfg(feature = "rustls-tls")]
+ 'custom: {
+ // "common"? env vars that people who use custom certs use? I guess
+ // this is easy to expand if it's not the case. /shrug
+ const CERT_ENVS: &[&str] = &["REQUESTS_CA_BUNDLE", "CURL_CA_BUNDLE", "SSL_CERT_FILE"];
+
+ let Some((env, cert_path)) = CERT_ENVS.iter().find_map(|env| {
+ std::env::var_os(env).map(|var| (env, std::path::PathBuf::from(var)))
+ }) else {
+ break 'custom;
+ };
+
+ fn build(cert_path: &std::path::Path) -> anyhow::Result<rustls::ClientConfig> {
+ let mut reader = std::io::BufReader::new(std::fs::File::open(cert_path)?);
+ let certs = rustls_pemfile::certs(&mut reader)?;
+ let mut root_certs = rustls::RootCertStore::empty();
+ root_certs.add_parsable_certificates(&certs);
+ let client_config = rustls::ClientConfig::builder()
+ .with_safe_defaults()
+ .with_root_certificates(root_certs)
+ .with_no_client_auth();
+ Ok(client_config)
+ }
+
+ let client_config = build(&cert_path).with_context(|| {
+ format!(
+ "failed to add custom cert from path '{}' configured by env var '{env}'",
+ cert_path.display()
+ )
+ })?;
+
+ builder = builder.tls_config(std::sync::Arc::new(client_config));
+ }
+
  // Allow user to specify timeout values in the case of bad/slow proxies
  // or MS itself being terrible, but default to a minute, which is _far_
  // more than it should take in normal situations, as by default ureq