-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add feature to support rustls-native-certs root certificates #134
Conversation
@@ -9,6 +9,8 @@ use rustls::{ | |||
client::{ServerCertVerified, ServerCertVerifier, WebPkiVerifier}, | |||
ClientConfig, ClientConnection, OwnedTrustAnchor, RootCertStore, ServerName, StreamOwned, | |||
}; | |||
#[cfg(feature = "tls-rustls-native-roots")] | |||
use rustls_native_certs::load_native_certs; | |||
use webpki_roots::TLS_SERVER_ROOTS; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't webpki_roots
be disabled when native certs are used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that it's likely that users that enable the native certs feature do not want the webpki certs. They want to rely on the OS' cert store and not on Mozilla's.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question that I wasn't totally sure of. I noted in the description that I left it as-is initially so that the feature flag would be additive as opposed to a toggle. Reqwest has two separate feature flags for webpki and native, so you could enable both or only one. I'm not super knowledgeable about the expected behaviors, so I don't have a good sense of if having only the native certs would cause issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, that loaded weird, didn't see your second comment right away! But yeah, that makes sense. I'll update to make the native certs exclusive of the webpki ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't have to be you who does this, but I think the TLS features should be cleaned up. Maybe something like:
tls-native
tls-native-vendored
tls-rustls-webpki-roots
tls-rustls-native-roots
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that would make sense. Would probably need to keep the various aliases around, at least for backwards compatibility, but it would definitely make it clearer which features are intended for which use-cases.
I took a quick look, my guess is it should be a separate PR, because there's a lot of various places that reference the current feature names that would need to be changed. I was also running into some weird behavior from Cargo that I didn't fully understand, where it wasn't importing the optional dependency even though it was declared to include it 🙁
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I think I got it working in #135 (which is stacked on this one to also include the tls-rustls-native-roots
feature flag).
Yeah I'm planning to today |
Perfect, thanks! |
Published 0.24.0 |
Closes #133
Info
rustls-native-certs
as root certificates allows consumers to easily opt-in to the native certificate stores.tls-rustls
as well.Changes
tls-rustls-native-roots
to enable loading the native certificates as root certificates for requests.Notes
"."
to'.'
to resolve a clippy warning about using a single-character string as a pattern.