Add rustls-tls-manual-roots feature to allow callers to specify roots

Now, callers have more control over the set of roots. Note that, due to cargo unification, other dependencies in the dependency tree might enable rustls-tls-webpki-roots or rustls-tls. This will affect connections initiated by code that explicitly enabled rustls-tls-manual-roots. So for now, the choice is done once per entire cargo dependency graph. If people want more precise control over things, they can add methods that allow controlling this on a per-connection level. Even if such methods are available, the *-manual-roots feature will still be helpful with eliminating the webpki-roots dependency for those cargo graphs where there is no unification.
seanmonstar · Nov 19, 2020 · 3ea9f92 · 3ea9f92
1 parent 4fe07d8
commit 3ea9f92
Show file tree

Hide file tree

Showing 9 changed files with 71 additions and 56 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -55,6 +55,7 @@ jobs:
           - windows / stable-i686-gnu
           - "feat.: default-tls disabled"
           - "feat.: rustls-tls"
+          - "feat.: rustls-tls-manual-roots"
           - "feat.: native-tls"
           - "feat.: default-tls and rustls-tls"
           - "feat.: cookies"
@@ -103,6 +104,8 @@ jobs:
             features: "--no-default-features"
           - name: "feat.: rustls-tls"
             features: "--no-default-features --features rustls-tls"
+          - name: "feat.: rustls-tls-manual-roots"
+            features: "--no-default-features --features rustls-tls-manual-roots"
           - name: "feat.: native-tls"
             features: "--features native-tls"
           - name: "feat.: default-tls and rustls-tls"

diff --git a/Cargo.toml b/Cargo.toml
@@ -34,7 +34,9 @@ default-tls = ["hyper-tls", "native-tls-crate", "__tls", "tokio-tls"]
 native-tls = ["default-tls"]
 native-tls-vendored = ["native-tls", "native-tls-crate/vendored"]
 
-rustls-tls = ["hyper-rustls", "tokio-rustls", "webpki-roots", "rustls", "__tls"]
+rustls-tls = ["rustls-tls-webpki-roots"]
+rustls-tls-manual-roots = ["__rustls"]
+rustls-tls-webpki-roots = ["webpki-roots", "__rustls"]
 
 blocking = ["futures-util/io", "tokio/rt-threaded", "tokio/rt-core", "tokio/sync"]
 
@@ -58,6 +60,10 @@ socks = ["tokio-socks"]
 # Enables common types used for TLS. Useless on its own.
 __tls = []
 
+# Enables common rustls code.
+# Equivalent to rustls-tls-manual-roots but shorter :)
+__rustls = ["hyper-rustls", "tokio-rustls", "rustls", "__tls"]
+
 # When enabled, disable using the cached SYS_PROXIES.
 __internal_proxy_sys_no_cache = []
 

diff --git a/src/async_impl/client.rs b/src/async_impl/client.rs
@@ -1,6 +1,6 @@
 #[cfg(any(
     feature = "native-tls",
-    feature = "rustls-tls",
+    feature = "__rustls",
 ))]
 use std::any::Any;
 use std::convert::TryInto;
@@ -236,7 +236,7 @@ impl ClientBuilder {
                         config.local_address,
                         config.nodelay)
                 },
-                #[cfg(feature = "rustls-tls")]
+                #[cfg(feature = "__rustls")]
                 TlsBackend::BuiltRustls(conn) => {
                     Connector::new_rustls_tls(
                         http,
@@ -246,7 +246,7 @@ impl ClientBuilder {
                         config.local_address,
                         config.nodelay)
                 },
-                #[cfg(feature = "rustls-tls")]
+                #[cfg(feature = "__rustls")]
                 TlsBackend::Rustls => {
                     use crate::tls::NoVerifier;
 
@@ -256,6 +256,7 @@ impl ClientBuilder {
                     } else {
                         tls.set_protocols(&["h2".into(), "http/1.1".into()]);
                     }
+                    #[cfg(feature = "rustls-tls-webpki-roots")]
                     tls.root_store
                         .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
 
@@ -283,7 +284,7 @@ impl ClientBuilder {
                 },
                 #[cfg(any(
                     feature = "native-tls",
-                    feature = "rustls-tls",
+                    feature = "__rustls",
                 ))]
                 TlsBackend::UnknownPreconfigured => {
                     return Err(crate::error::builder(
@@ -738,7 +739,7 @@ impl ClientBuilder {
     ///
     /// # Optional
     ///
-    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls`
+    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
     /// feature to be enabled.
     #[cfg(feature = "__tls")]
     pub fn add_root_certificate(mut self, cert: Certificate) -> ClientBuilder {
@@ -750,7 +751,7 @@ impl ClientBuilder {
     ///
     /// # Optional
     ///
-    /// This requires the optional `native-tls` or `rustls-tls` feature to be
+    /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
     /// enabled.
     #[cfg(feature = "__tls")]
     pub fn identity(mut self, identity: Identity) -> ClientBuilder {
@@ -795,7 +796,7 @@ impl ClientBuilder {
     ///
     /// # Optional
     ///
-    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls`
+    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
     /// feature to be enabled.
     #[cfg(feature = "__tls")]
     pub fn danger_accept_invalid_certs(mut self, accept_invalid_certs: bool) -> ClientBuilder {
@@ -824,8 +825,8 @@ impl ClientBuilder {
     ///
     /// # Optional
     ///
-    /// This requires the optional `rustls-tls` feature to be enabled.
-    #[cfg(feature = "rustls-tls")]
+    /// This requires the optional `rustls-tls(-...)` feature to be enabled.
+    #[cfg(feature = "__rustls")]
     pub fn use_rustls_tls(mut self) -> ClientBuilder {
         self.config.tls = TlsBackend::Rustls;
         self
@@ -848,10 +849,10 @@ impl ClientBuilder {
     /// # Optional
     ///
     /// This requires one of the optional features `native-tls` or
-    /// `rustls-tls` to be enabled.
+    /// `rustls-tls(-...)` to be enabled.
     #[cfg(any(
         feature = "native-tls",
-        feature = "rustls-tls",
+        feature = "__rustls",
     ))]
     pub fn use_preconfigured_tls(mut self, tls: impl Any) -> ClientBuilder {
         let mut tls = Some(tls);
@@ -864,7 +865,7 @@ impl ClientBuilder {
                 return self;
             }
         }
-        #[cfg(feature = "rustls-tls")]
+        #[cfg(feature = "__rustls")]
         {
             if let Some(conn) = (&mut tls as &mut dyn Any).downcast_mut::<Option<rustls::ClientConfig>>() {
 
@@ -1212,7 +1213,7 @@ impl Config {
             }
         }
 
-        #[cfg(all(feature = "native-tls-crate", feature = "rustls-tls"))]
+        #[cfg(all(feature = "native-tls-crate", feature = "__rustls"))]
         {
             f.field("tls_backend", &self.tls);
         }

diff --git a/src/blocking/client.rs b/src/blocking/client.rs
@@ -1,6 +1,6 @@
 #[cfg(any(
     feature = "native-tls",
-    feature = "rustls-tls",
+    feature = "__rustls",
 ))]
 use std::any::Any;
 use std::convert::TryInto;
@@ -414,7 +414,7 @@ impl ClientBuilder {
     ///
     /// # Optional
     ///
-    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls`
+    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
     /// feature to be enabled.
     #[cfg(feature = "__tls")]
     pub fn add_root_certificate(self, cert: Certificate) -> ClientBuilder {
@@ -482,8 +482,8 @@ impl ClientBuilder {
     ///
     /// # Optional
     ///
-    /// This requires the optional `rustls-tls` feature to be enabled.
-    #[cfg(feature = "rustls-tls")]
+    /// This requires the optional `rustls-tls(-...)` feature to be enabled.
+    #[cfg(feature = "__rustls")]
     pub fn use_rustls_tls(self) -> ClientBuilder {
         self.with_inner(move |inner| inner.use_rustls_tls())
     }
@@ -505,10 +505,10 @@ impl ClientBuilder {
     /// # Optional
     ///
     /// This requires one of the optional features `native-tls` or
-    /// `rustls-tls` to be enabled.
+    /// `rustls-tls(-...)` to be enabled.
     #[cfg(any(
         feature = "native-tls",
-        feature = "rustls-tls",
+        feature = "__rustls",
     ))]
     pub fn use_preconfigured_tls(self, tls: impl Any) -> ClientBuilder {
         self.with_inner(move |inner| inner.use_preconfigured_tls(tls))

diff --git a/src/connect.rs b/src/connect.rs
@@ -26,7 +26,7 @@ use crate::proxy::{Proxy, ProxyScheme};
 use crate::error::BoxError;
 #[cfg(feature = "default-tls")]
 use self::native_tls_conn::NativeTlsConn;
-#[cfg(feature = "rustls-tls")]
+#[cfg(feature = "__rustls")]
 use self::rustls_tls_conn::RustlsTlsConn;
 
 #[derive(Clone)]
@@ -123,7 +123,7 @@ enum Inner {
     Http(HttpConnector),
     #[cfg(feature = "default-tls")]
     DefaultTls(HttpConnector, TlsConnector),
-    #[cfg(feature = "rustls-tls")]
+    #[cfg(feature = "__rustls")]
     RustlsTls {
         http: HttpConnector,
         tls: Arc<rustls::ClientConfig>,
@@ -199,7 +199,7 @@ impl Connector {
         }
     }
 
-    #[cfg(feature = "rustls-tls")]
+    #[cfg(feature = "__rustls")]
     pub(crate) fn new_rustls_tls<T>(
         mut http: HttpConnector,
         tls: rustls::ClientConfig,
@@ -282,7 +282,7 @@ impl Connector {
                     });
                 }
             }
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "__rustls")]
             Inner::RustlsTls { tls_proxy, .. } => {
                 if dst.scheme() == Some(&Scheme::HTTPS) {
                     use tokio_rustls::webpki::DNSNameRef;
@@ -357,7 +357,7 @@ impl Connector {
                     is_proxy,
                 })
             }
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "__rustls")]
             Inner::RustlsTls { http, tls, .. } => {
                 let mut http = http.clone();
 
@@ -434,7 +434,7 @@ impl Connector {
                     });
                 }
             }
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "__rustls")]
             Inner::RustlsTls {
                 http,
                 tls,
@@ -480,7 +480,7 @@ impl Connector {
         match &mut self.inner {
             #[cfg(feature = "default-tls")]
             Inner::DefaultTls(http, _tls) => http.set_keepalive(dur),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "__rustls")]
             Inner::RustlsTls { http, .. } => http.set_keepalive(dur),
             #[cfg(not(feature = "__tls"))]
             Inner::Http(http) => http.set_keepalive(dur),
@@ -801,7 +801,7 @@ mod native_tls_conn {
     }
 }
 
-#[cfg(feature = "rustls-tls")]
+#[cfg(feature = "__rustls")]
 mod rustls_tls_conn {
     use rustls::Session;
     use std::mem::MaybeUninit;

diff --git a/src/lib.rs b/src/lib.rs
@@ -170,6 +170,11 @@
 //! - **native-tls**: Enables TLS functionality provided by `native-tls`.
 //! - **native-tls-vendored**: Enables the `vendored` feature of `native-tls`.
 //! - **rustls-tls**: Enables TLS functionality provided by `rustls`.
+//!   Equivalent to `rustls-tls-webpki-roots`.
+//! - **rustls-tls-manual-roots**: Enables TLS functionality provided by `rustls`,
+//!   without setting any root certificates. Roots have to be specified manually.
+//! - **rustls-tls-webpki-roots**: Enables TLS functionality provided by `rustls`,
+//!   while using root certificates from the `webpki-roots` crate
 //! - **blocking**: Provides the [blocking][] client API.
 //! - **cookies**: Provides cookie session support.
 //! - **gzip**: Provides response body gzip decompression.