platform-verifier as feature

Cargo.toml

@@ -16,11 +16,12 @@ exclude = ["/cargo_deny.sh", "/deny.toml", "/test.sh"]
 rust-version = "1.67"
 
 [package.metadata.docs.rs]
-features = ["rustls", "native-tls", "socks-proxy", "cookies", "gzip", "brotli", "charset", "json", "_test"]
+features = ["rustls", "platform-verifier", "native-tls", "socks-proxy", "cookies", "gzip", "brotli", "charset", "json", "_test"]
 
 [features]
 default = ["rustls", "gzip", "json"]
-rustls = ["dep:rustls", "_tls", "dep:rustls-platform-verifier", "dep:webpki-roots"]
+rustls = ["dep:rustls", "_tls", "dep:webpki-roots"]
+platform-verifier = ["dep:rustls-platform-verifier"]
 native-tls = ["dep:native-tls", "dep:der", "_tls", "dep:webpki-root-certs"]
 socks-proxy = ["dep:socks"]
 cookies = ["dep:cookie_store", "_url"]

src/tls/mod.rs

@@ -81,7 +81,7 @@ pub struct TlsConfig {
 
     /// The set of trusted root certificates to use to validate server certificates.
     ///
-    /// Defaults to `PlatformVerifier` to use the platform default root certs.
+    /// Defaults to `WebPki`.
     pub root_certs: RootCerts,
 
     /// Whether to send SNI (Server Name Indication) to the remote server.
@@ -120,14 +120,17 @@ pub enum RootCerts {
 
     /// Use the platform's verifier.
     ///
-    /// * For **rustls**, this uses the `rustls-platform-verifier` crate.
+    /// * For **rustls**, this uses the `rustls-platform-verifier` crate. It requires
+    ///   the feature **platform-verifier**.
     /// * For **native-tls**, this uses the roots that native-tls loads by default.
     PlatformVerifier,
 
     /// Use Mozilla's root certificates instead of the platform.
     ///
     /// This is useful when you can't trust the system roots, such as in
     /// environments where TLS is intercepted and decrypted by a proxy (MITM attack).
+    ///
+    /// This is the default value.
     WebPki,
 }
 
@@ -137,7 +140,7 @@ impl Default for TlsConfig {
         Self {
             provider,
             client_cert: None,
-            root_certs: RootCerts::PlatformVerifier,
+            root_certs: RootCerts::WebPki,
             use_sni: true,
             disable_verification: false,
 
@@ -163,3 +166,33 @@ impl fmt::Debug for TlsConfig {
             .finish()
     }
 }
+
+#[cfg(test)]
+mod test {
+    use crate::{Agent, AgentConfig};
+
+    use super::RootCerts;
+
+    #[test]
+    #[should_panic]
+    #[cfg(not(feature = "platform-verifier"))]
+    fn rustls_platform_verifier() {
+        use super::TlsProvider;
+
+        let mut config = AgentConfig::new();
+        config.tls_config.provider = TlsProvider::Rustls;
+        config.tls_config.root_certs = RootCerts::PlatformVerifier;
+        let agent = Agent::new_with_config(config);
+        let _ = agent.get("https://www.google.com").call();
+    }
+
+    #[test]
+    #[cfg(feature = "platform-verifier")]
+    fn rustls_platform_verifier() {
+        let mut config = AgentConfig::new();
+        config.tls_config.provider = TlsProvider::Rustls;
+        config.tls_config.root_certs = RootCerts::PlatformVerifier;
+        let agent = Agent::new_with_config(config);
+        let _ = agent.get("https://www.google.com").call();
+    }
+}

src/tls/rustls.rs

@@ -114,6 +114,11 @@ fn build_config(tls_config: &TlsConfig) -> Arc<ClientConfig> {
 
                 builder.with_root_certificates(root_store)
             }
+            #[cfg(not(feature = "platform-verifier"))]
+            RootCerts::PlatformVerifier => {
+                panic!("Rustls + PlatformVerifier requires feature: platform-verifier");
+            }
+            #[cfg(feature = "platform-verifier")]
             RootCerts::PlatformVerifier => builder
                 // This actually not dangerous. The rustls_platform_verifier is safe.
                 .dangerous()