Skip to content

fix: use native + webpki TLS roots (v0.3.9)#60

Merged
lorenjphillips merged 1 commit into
mainfrom
release/v0.3.9
Apr 16, 2026
Merged

fix: use native + webpki TLS roots (v0.3.9)#60
lorenjphillips merged 1 commit into
mainfrom
release/v0.3.9

Conversation

@lorenjphillips

@lorenjphillips lorenjphillips commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Swap reqwest TLS feature from bundled-only (`rustls-tls`) to `rustls-tls-native-roots` + `rustls-tls-webpki-roots`. Rustls now trusts both the OS trust store and the bundled Mozilla roots.

Summary by CodeRabbit

  • Chores
    • Bumped version to 0.3.9
    • Updated TLS certificate handling configuration

Fixes corporate TLS-inspection proxies (Zscaler, Netskope, Palo Alto)
where rustls bundled roots reject re-signed certs.

chore: bump version to 0.3.9
@coderabbitai

coderabbitai Bot commented Apr 16, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The package version is incremented from 0.3.8 to 0.3.9. The reqwest dependency features are expanded from rustls-tls to include both rustls-tls-native-roots and rustls-tls-webpki-roots, broadening TLS certificate validation options.

Changes

Cohort / File(s) Summary
Package Version & TLS Configuration
Cargo.toml
Version bumped to 0.3.9; reqwest TLS features expanded from ["json", "rustls-tls"] to ["json", "rustls-tls-native-roots", "rustls-tls-webpki-roots"], providing dual root certificate handling strategies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A version hops from eight to nine,
With rustls roots both strong and fine,
Native paths and webpki's ways,
Securing connections through all our days!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: updating TLS root certificate handling to use both native and webpki roots, which directly addresses the core modification in Cargo.toml's reqwest dependency features.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release/v0.3.9

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Cargo.toml`:
- Line 17: The reqwest dependency in Cargo.toml currently enables both
rustls-tls-native-roots and rustls-tls-webpki-roots which are mutually
exclusive; update the reqwest line to enable only the appropriate TLS root
feature for your deployment (choose either "rustls-tls-native-roots" for
OS/system roots or "rustls-tls-webpki-roots" for bundled WebPKI roots), or
remove both and implement runtime certificate handling via
reqwest::ClientBuilder if you need hybrid behavior; locate the dependency line
containing reqwest = { version = "0.12", default-features = false, features =
[...] } and change the features array accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e5aabb6-2293-4376-aa13-600d62331b0d

📥 Commits

Reviewing files that changed from the base of the PR and between c7dfb24 and 6d17001.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • Cargo.toml

Comment thread Cargo.toml
clap = { version = "4.5", features = ["derive", "env", "wrap_help"] }
tokio = { version = "1.36", features = ["rt-multi-thread", "macros"] }
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots", "rustls-tls-webpki-roots"] }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For reqwest 0.12.x, are rustls-tls-native-rootsandrustls-tls-webpki-roots valid features, and is enabling both at once supported/recommended?

💡 Result:

Yes, both rustls-tls-native-roots and rustls-tls-webpki-roots are valid features for reqwest 0.12.x. They are listed separately in the official docs.rs feature lists for multiple 0.12 versions (e.g., 0.12.12, 0.12.28). Package repositories like Fedora also build separate devel packages for each, confirming validity. Enabling both at once is supported technically, as Cargo features are additive with no documented conflicts or mutual exclusivity in 0.12.x (unlike some older versions or 0.13+ changes). However, it is not recommended. These features configure mutually exclusive root certificate stores: rustls-tls-native-roots uses rustls-native-certs for OS/system roots, while rustls-tls-webpki-roots uses bundled webpki-roots. Enabling both would load both stores, potentially leading to redundant certificates, larger binaries, and unclear precedence in verification, without added benefit. Choose one based on needs: native for system integration (e.g., corporate proxies), webpki for portability/cross-platform consistency. Use rustls-tls alone for the default (webpki). Runtime config via ClientBuilder allows further customization like disabling built-ins or adding certs.

Citations:


Reconsider dual TLS features—choose one based on deployment context.

Both rustls-tls-native-roots and rustls-tls-webpki-roots are valid features in reqwest 0.12.x, but enabling both simultaneously is not recommended. These features configure mutually exclusive root certificate stores; loading both creates redundant certificates, increases binary size, and leaves certificate verification precedence unclear without tangible benefit.

For corporate MITM/proxy compatibility, use rustls-tls-native-roots alone (leverages OS/system roots). For portability and cross-platform consistency, use rustls-tls-webpki-roots alone. If hybrid behavior is genuinely needed, use ClientBuilder at runtime to customize certificate handling instead.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@Cargo.toml` at line 17, The reqwest dependency in Cargo.toml currently
enables both rustls-tls-native-roots and rustls-tls-webpki-roots which are
mutually exclusive; update the reqwest line to enable only the appropriate TLS
root feature for your deployment (choose either "rustls-tls-native-roots" for
OS/system roots or "rustls-tls-webpki-roots" for bundled WebPKI roots), or
remove both and implement runtime certificate handling via
reqwest::ClientBuilder if you need hybrid behavior; locate the dependency line
containing reqwest = { version = "0.12", default-features = false, features =
[...] } and change the features array accordingly.

@lorenjphillips lorenjphillips merged commit cebd0b7 into main Apr 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants