feat: use native TLS roots along webpki #1772
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Feature or Problem
Include both webpki and native OS root certificates by default for TLS. This ensures that outgoing connections work everywhere - be it a
FROM scratch
Docker container, consumer OS behind a corporate firewall, an embedded device or anything in-between.Eventually we should standardize TLS setup in providers and have a way to switch between the CA pools, but for now we should focus on getting things working.
The specifiedthis fails when the OS bundle is missing, so simply load the native certs ourselves and log if we failed to load the native bundlereqwest
feature set ensures both bundles are included https://github.com/seanmonstar/reqwest/blob/14e46ff8cb7550473c950f3471d049ad2e139d3f/src/async_impl/client.rs#L501-L529Related Issues
May fix - #1433
Release Information
Consumer Impact
Testing
Unit Test(s)
Acceptance or Integration
Manual Verification