Skip to content

Add fine-grained control over root certificates#1848

Closed
daxpedda wants to merge 1 commit intoseanmonstar:masterfrom
daxpedda:fine-grained-root-certs
Closed

Add fine-grained control over root certificates#1848
daxpedda wants to merge 1 commit intoseanmonstar:masterfrom
daxpedda:fine-grained-root-certs

Conversation

@daxpedda
Copy link
Contributor

@daxpedda daxpedda commented May 22, 2023

As suggested in #1843 (comment), this introduces ClientBuilder::no_webpki_root_certs() and ClientBuilder::no_native_root_certs().

Fixes #1843.

@daxpedda daxpedda force-pushed the fine-grained-root-certs branch 2 times, most recently from ccb4304 to 2ca4091 Compare May 22, 2023 20:01
@seanmonstar
Copy link
Owner

seanmonstar commented May 22, 2023

I think would expect it to be something like no_certs(), applied for all ways of loading default certificates.

@daxpedda
Copy link
Contributor Author

daxpedda commented May 22, 2023
edited
Loading

That's already available as ClientBuilder::tls_built_in_root_certs(), which probably could get improved by removing the crate feature gates, but it is a separate problem.

The original problem is to control more tightly which root certificates to load. Right now, if both rustls-tls-webpki-roots and rustls-tls-native-roots crate features are enabled, you can only load or not load both at the same time, but not individually. The goal is to e.g. only load webpki-roots even when both crate features are enabled.

@daxpedda daxpedda force-pushed the fine-grained-root-certs branch from 2ca4091 to bf69111 Compare July 6, 2023 13:52
@daxpedda
Copy link
Contributor Author

daxpedda commented Jul 6, 2023

Rebased and CI passes.
This is ready to be reviewed again.

Now that #1850 is merged, it could be argued that if fine-grained control over root certificates is required users can build their own configuration. So if this out-of-scope, let me know.

@charliermarsh charliermarsh mentioned this pull request Mar 11, 2024
Merged
charliermarsh added a commit to astral-sh/uv that referenced this pull request Mar 12, 2024
@charliermarsh
Enable TLS native root toggling at runtime (#2362)
e9c16e9 
## Summary

It turns out that on macOS, reading the native certificates can add
hundreds of milliseconds to client initialization. This PR makes
`--native-tls` a command-line flag, to toggle (at runtime) the choice of
the `webpki` roots or the native system roots.

You can't accomplish this kind of configuration with the `reqwest`
builder API, so instead, I pulled out the heart of that logic from the
crate
(https://github.com/seanmonstar/reqwest/blob/e3192638518d577759dd89da489175b8f992b12f/src/async_impl/client.rs#L498),
and modified it to allow toggling a choice of root.

Note that there's an open PR for this in reqwest
(seanmonstar/reqwest#1848), along with an issue
(seanmonstar/reqwest#1843), which I may ping,
but it's been around for a while and I believe reqwest is focused on its
next major release.

Closes #2346.
@seanmonstar seanmonstar mentioned this pull request Apr 1, 2024
Merged
@seanmonstar
Copy link
Owner

seanmonstar commented Apr 1, 2024

Sorry for the delay. I've come back to this, and wanted to fix up the merge conflict, and also had a change in thinking as to how to enable/disable. The new PR is at #2232.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Only use webpki certs despite enabled rustls-tls-native-roots feature

2 participants

@daxpedda @seanmonstar