fix(reqwest): add default-tls feature to reqwest

[hydezhao]

enable default-tls feature to reqwest so that the binary can use OS's CA keystore.

It solves the problem that we cannot download cast from a self-hosted server with a private CA certificate.

[ku1ik]

Thanks.

How does reqwest handle certs when both default-tls and rustls-tls are enabled? Is the behavior documented somewhere?

[hydezhao]

Hello, from what I learnt, cargo features are additive..

[ku1ik]

Cargo features are additive, yeah, I'm just not sure which variant reqwest uses when multiple are enabled. I'm pretty sure one always wins over the other, I doubt it both would be active (e.g. one being fallback to the other).

My concern here is default-tls uses native TLS (OpenSSL), which makes the build process more complicated and fragile (need for OpenSSL headers, requires compiling C code, etc). I've actually tried using it initially, for the first version of agg, and I couldn't make it build on some platform/environment (don't remember which).

What about rustls-tls-native-roots? I think this could be the best of both worlds, using pure Rust rustls crate, but looking up certificates in common OS locations.

Can you test if it works with your private CA cert when you replace rustls-tls feature with rustls-tls-native-roots (and not enable default-tls)?

[ku1ik]

I actually just made this change in main branch, so you can just checkout main and test against your cert.

[hydezhao]

Hello @ku1ik , thanks a lot for your reply.
I got some local issue with my local build of agg . ( Error: application/octet-stream is not supported ) I will try figure it out .

Meanwhile , I've tested rustls-tls-native-roots on project asciinema. With rustls-tls-native-roots I can successfully upload record to my asciinema server with private CA cert. I assume that it works !

Thanks a lot !

[hydezhao]

I've updated the PR asciinema/asciinema#643 accordingly .

[hydezhao]

I think we can close this PR.