New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable TLS native root toggling at runtime #2362
Conversation
628672b
to
a935cd2
Compare
a935cd2
to
d382db2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
Technically this is a breaking change, should we create a label for that and highlight accordingly? |
d567c0e
to
4e43048
Compare
... yet. I think we're not quite ready for a versioning policy over here. Now that we have a "labeled" breaking change in #2362 we need to decide if it should be a minor or patch version.
@charliermarsh Is it worth checking if e.g. something like -let tls = tls::load(if self.native_tls {
+let tls = tls::load(if self.native_tls || env::var("SSL_CERT_FILE").is_ok() {
Roots::Native
} else {
Roots::Webpki
}) |
We can support |
Per this updated statement in the docs
It sounds like reqwest will honor still |
…ring `--native-tls` (#2401) ## Summary Small follow up to #2362 to check if `SSL_CERT_FILE` is set to enable `--native-tls` functionality. This maintains backwards compatibility with `0.1.17` and below users leveraging only `SSL_CERT_FILE`. Closes #2400 ## Test Plan <!-- How was it tested? --> Assuming `SSL_CERT_FILE` is already working via `--native-tls`, this is simply a shortcut to enable `--native-tls` functionality implicitly while still being able to let `rustls-native-certs` handle the loading of `SSL_CERT_FILE` instead of ourselves. Edit: Manually tested by setting up own self-signed CA certificate bundle and set `SSL_CERT_FILE` to this and confirmed the loading happens without having to specify `--native-tls`.
Summary
It turns out that on macOS, reading the native certificates can add hundreds of milliseconds to client initialization. This PR makes
--native-tls
a command-line flag, to toggle (at runtime) the choice of thewebpki
roots or the native system roots.You can't accomplish this kind of configuration with the
reqwest
builder API, so instead, I pulled out the heart of that logic from the crate (https://github.com/seanmonstar/reqwest/blob/e3192638518d577759dd89da489175b8f992b12f/src/async_impl/client.rs#L498), and modified it to allow toggling a choice of root.Note that there's an open PR for this in reqwest (seanmonstar/reqwest#1848), along with an issue (seanmonstar/reqwest#1843), which I may ping, but it's been around for a while and I believe reqwest is focused on its next major release.
Closes #2346.