fix: use native + webpki TLS roots (v0.3.9)#60
Conversation
Fixes corporate TLS-inspection proxies (Zscaler, Netskope, Palo Alto) where rustls bundled roots reject re-signed certs. chore: bump version to 0.3.9
📝 WalkthroughWalkthroughThe package version is incremented from 0.3.8 to 0.3.9. The reqwest dependency features are expanded from Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Cargo.toml`:
- Line 17: The reqwest dependency in Cargo.toml currently enables both
rustls-tls-native-roots and rustls-tls-webpki-roots which are mutually
exclusive; update the reqwest line to enable only the appropriate TLS root
feature for your deployment (choose either "rustls-tls-native-roots" for
OS/system roots or "rustls-tls-webpki-roots" for bundled WebPKI roots), or
remove both and implement runtime certificate handling via
reqwest::ClientBuilder if you need hybrid behavior; locate the dependency line
containing reqwest = { version = "0.12", default-features = false, features =
[...] } and change the features array accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4e5aabb6-2293-4376-aa13-600d62331b0d
⛔ Files ignored due to path filters (1)
Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (1)
Cargo.toml
| clap = { version = "4.5", features = ["derive", "env", "wrap_help"] } | ||
| tokio = { version = "1.36", features = ["rt-multi-thread", "macros"] } | ||
| reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] } | ||
| reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots", "rustls-tls-webpki-roots"] } |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For reqwest 0.12.x, are rustls-tls-native-rootsandrustls-tls-webpki-roots valid features, and is enabling both at once supported/recommended?
💡 Result:
Yes, both rustls-tls-native-roots and rustls-tls-webpki-roots are valid features for reqwest 0.12.x. They are listed separately in the official docs.rs feature lists for multiple 0.12 versions (e.g., 0.12.12, 0.12.28). Package repositories like Fedora also build separate devel packages for each, confirming validity. Enabling both at once is supported technically, as Cargo features are additive with no documented conflicts or mutual exclusivity in 0.12.x (unlike some older versions or 0.13+ changes). However, it is not recommended. These features configure mutually exclusive root certificate stores: rustls-tls-native-roots uses rustls-native-certs for OS/system roots, while rustls-tls-webpki-roots uses bundled webpki-roots. Enabling both would load both stores, potentially leading to redundant certificates, larger binaries, and unclear precedence in verification, without added benefit. Choose one based on needs: native for system integration (e.g., corporate proxies), webpki for portability/cross-platform consistency. Use rustls-tls alone for the default (webpki). Runtime config via ClientBuilder allows further customization like disabling built-ins or adding certs.
Citations:
- 1: https://docs.rs/crate/reqwest/0.12.12/features
- 2: https://docs.rs/crate/reqwest/^0.12.12/features
- 3: https://docs.rs/crate/reqwest/0.12.8/features
- 4: https://github.com/seanmonstar/reqwest/blob/master/Cargo.toml
- 5: Only use
webpkicerts despite enabledrustls-tls-native-rootsfeature seanmonstar/reqwest#1843
Reconsider dual TLS features—choose one based on deployment context.
Both rustls-tls-native-roots and rustls-tls-webpki-roots are valid features in reqwest 0.12.x, but enabling both simultaneously is not recommended. These features configure mutually exclusive root certificate stores; loading both creates redundant certificates, increases binary size, and leaves certificate verification precedence unclear without tangible benefit.
For corporate MITM/proxy compatibility, use rustls-tls-native-roots alone (leverages OS/system roots). For portability and cross-platform consistency, use rustls-tls-webpki-roots alone. If hybrid behavior is genuinely needed, use ClientBuilder at runtime to customize certificate handling instead.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Cargo.toml` at line 17, The reqwest dependency in Cargo.toml currently
enables both rustls-tls-native-roots and rustls-tls-webpki-roots which are
mutually exclusive; update the reqwest line to enable only the appropriate TLS
root feature for your deployment (choose either "rustls-tls-native-roots" for
OS/system roots or "rustls-tls-webpki-roots" for bundled WebPKI roots), or
remove both and implement runtime certificate handling via
reqwest::ClientBuilder if you need hybrid behavior; locate the dependency line
containing reqwest = { version = "0.12", default-features = false, features =
[...] } and change the features array accordingly.
Summary
Summary by CodeRabbit