platform-verifier as feature

algesten · Sep 29, 2024 · 3f21ad6 · 3f21ad6
1 parent bae9d0d
commit 3f21ad6
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,11 +16,12 @@ exclude = ["/cargo_deny.sh", "/deny.toml", "/test.sh"]
 rust-version = "1.67"
 
 [package.metadata.docs.rs]
-features = ["rustls", "native-tls", "socks-proxy", "cookies", "gzip", "brotli", "charset", "json", "_test"]
+features = ["rustls", "platform-verifier", "native-tls", "socks-proxy", "cookies", "gzip", "brotli", "charset", "json", "_test"]
 
 [features]
 default = ["rustls", "gzip", "json"]
-rustls = ["dep:rustls", "_tls", "dep:rustls-platform-verifier", "dep:webpki-roots"]
+rustls = ["dep:rustls", "_tls", "dep:webpki-roots"]
+platform-verifier = ["dep:rustls-platform-verifier"]
 native-tls = ["dep:native-tls", "dep:der", "_tls", "dep:webpki-root-certs"]
 socks-proxy = ["dep:socks"]
 cookies = ["dep:cookie_store", "_url"]

diff --git a/src/tls/mod.rs b/src/tls/mod.rs
@@ -81,7 +81,7 @@ pub struct TlsConfig {
 
     /// The set of trusted root certificates to use to validate server certificates.
     ///
-    /// Defaults to `PlatformVerifier` to use the platform default root certs.
+    /// Defaults to `WebPki`.
     pub root_certs: RootCerts,
 
     /// Whether to send SNI (Server Name Indication) to the remote server.
@@ -131,14 +131,17 @@ pub enum RootCerts {
 
     /// Use the platform's verifier.
     ///
-    /// * For **rustls**, this uses the `rustls-platform-verifier` crate.
+    /// * For **rustls**, this uses the `rustls-platform-verifier` crate. It requires
+    ///   the feature **platform-verifier**.
     /// * For **native-tls**, this uses the roots that native-tls loads by default.
     PlatformVerifier,
 
     /// Use Mozilla's root certificates instead of the platform.
     ///
     /// This is useful when you can't trust the system roots, such as in
     /// environments where TLS is intercepted and decrypted by a proxy (MITM attack).
+    ///
+    /// This is the default value.
     WebPki,
 }
 
@@ -161,7 +164,7 @@ impl Default for TlsConfig {
         Self {
             provider,
             client_cert: None,
-            root_certs: RootCerts::PlatformVerifier,
+            root_certs: RootCerts::WebPki,
             use_sni: true,
             disable_verification: false,
 

diff --git a/src/tls/rustls.rs b/src/tls/rustls.rs
@@ -114,6 +114,11 @@ fn build_config(tls_config: &TlsConfig) -> Arc<ClientConfig> {
 
                 builder.with_root_certificates(root_store)
             }
+            #[cfg(not(feature = "platform-verifier"))]
+            RootCerts::PlatformVerifier => {
+                panic!("Rustls + PlatformVerifier requires feature: platform-verifier");
+            }
+            #[cfg(feature = "platform-verifier")]
             RootCerts::PlatformVerifier => builder
                 // This actually not dangerous. The rustls_platform_verifier is safe.
                 .dangerous()