Skip to content

Enable TLS native root toggling at runtime#2362

Merged
charliermarsh merged 3 commits intomainfrom
charlie/tls
Mar 12, 2024
Merged

Enable TLS native root toggling at runtime#2362
charliermarsh merged 3 commits intomainfrom
charlie/tls

Conversation

@charliermarsh
Copy link
Member

@charliermarsh charliermarsh commented Mar 11, 2024
edited
Loading

Summary

It turns out that on macOS, reading the native certificates can add hundreds of milliseconds to client initialization. This PR makes --native-tls a command-line flag, to toggle (at runtime) the choice of the webpki roots or the native system roots.

You can't accomplish this kind of configuration with the reqwest builder API, so instead, I pulled out the heart of that logic from the crate (https://github.com/seanmonstar/reqwest/blob/e3192638518d577759dd89da489175b8f992b12f/src/async_impl/client.rs#L498), and modified it to allow toggling a choice of root.

Note that there's an open PR for this in reqwest (seanmonstar/reqwest#1848), along with an issue (seanmonstar/reqwest#1843), which I may ping, but it's been around for a while and I believe reqwest is focused on its next major release.

Closes #2346.

@charliermarsh charliermarsh requested a review from zanieb March 11, 2024 20:00
@charliermarsh charliermarsh marked this pull request as ready for review March 11, 2024 20:00
This was referenced Mar 11, 2024
Closed
Closed
zanieb
zanieb reviewed Mar 11, 2024
View reviewed changes
zanieb
zanieb reviewed Mar 11, 2024
View reviewed changes
zanieb
zanieb approved these changes Mar 11, 2024
View reviewed changes
Copy link
Member

@zanieb zanieb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

@zanieb
Copy link
Member

zanieb commented Mar 11, 2024

Technically this is a breaking change, should we create a label for that and highlight accordingly?

@charliermarsh charliermarsh added the breaking A breaking change label Mar 11, 2024
@charliermarsh charliermarsh added the performance Potential performance improvement label Mar 11, 2024
@charliermarsh charliermarsh enabled auto-merge (squash) March 11, 2024 23:56
@charliermarsh charliermarsh merged commit e9c16e9 into main Mar 12, 2024
@charliermarsh charliermarsh deleted the charlie/tls branch March 12, 2024 04:05
@zanieb zanieb mentioned this pull request Mar 12, 2024
Merged
zanieb added a commit that referenced this pull request Mar 12, 2024
@zanieb
Do not bump the minor version on breaking changes (#2376)
28bf493 
... yet.

I think we're not quite ready for a versioning policy over here. Now
that we have a "labeled" breaking change in #2362 we need to decide if
it should be a minor or patch version.
@BrewTestBot BrewTestBot mentioned this pull request Mar 13, 2024
Merged
@samypr100
Copy link
Collaborator

samypr100 commented Mar 13, 2024
edited
Loading

@charliermarsh Is it worth checking if SSL_CERT_FILE is set and make it behave as-if --native-tls was used?
I think that would keep this change backwards compatible with users leveraging SSL_CERT_FILE

e.g. something like

-let tls = tls::load(if self.native_tls {
+let tls = tls::load(if self.native_tls || env::var("SSL_CERT_FILE").is_ok() {
    Roots::Native
} else {
    Roots::Webpki
})

@charliermarsh
Copy link
Member Author

charliermarsh commented Mar 13, 2024

We can support SSL_CERT_FILE even without --native-tls, I think. I'm happy to add that. It would effectively be this PR: #2351.

@samypr100
Copy link
Collaborator

samypr100 commented Mar 13, 2024

Per this updated statement in the docs

If a direct path to the certificate is required (e.g., in CI), set the SSL_CERT_FILE environment
variable to the path of the certificate bundle (alongside the --native-tls flag), to instruct uv
to use that file instead of the system's trust store.

It sounds like reqwest will honor still SSL_CERT_FILE (if it's set), even if the loading is happening via on uv's end via tls::load/use_preconfigured_tls.
Assuming this, the suggested code snippet above would work to keep this change backwards compatible.

@samypr100 samypr100 mentioned this pull request Mar 13, 2024
Merged
charliermarsh pushed a commit that referenced this pull request Mar 13, 2024
@samypr100
feat: keep backwards compatibility with SSL_CERT_FILE without requi…
e0ac5b4 
…ring `--native-tls` (#2401)

## Summary

Small follow up to #2362 to check if
`SSL_CERT_FILE` is set to enable `--native-tls` functionality. This
maintains backwards compatibility with `0.1.17` and below users
leveraging only `SSL_CERT_FILE`.

Closes #2400

## Test Plan

<!-- How was it tested? -->
Assuming `SSL_CERT_FILE` is already working via `--native-tls`, this is
simply a shortcut to enable `--native-tls` functionality implicitly
while still being able to let `rustls-native-certs` handle the loading
of `SSL_CERT_FILE` instead of ourselves.

Edit: Manually tested by setting up own self-signed CA certificate
bundle and set `SSL_CERT_FILE` to this and confirmed the loading happens
without having to specify `--native-tls`.
@DragoonAethis DragoonAethis mentioned this pull request Mar 13, 2024
Closed
@zanieb zanieb mentioned this pull request May 4, 2024
Closed
@bjoernricks bjoernricks mentioned this pull request Sep 19, 2024
Closed
1 task
@zanieb zanieb mentioned this pull request Nov 5, 2024
Open
@jschwe jschwe mentioned this pull request Feb 27, 2025
Closed
@j178 j178 mentioned this pull request Oct 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb zanieb approved these changes

Assignees

No one assigned

Labels

breaking A breaking change performance Potential performance improvement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Investigate overhead in initializing HTTP client

3 participants

@charliermarsh @zanieb @samypr100