Support webpki-roots as a fallback in simple-request

2025-12-08 04:09:23 +00:00 · 2025-09-18 18:15:24 -04:00
parent 80009ab67f
commit a9b1e5293c
3 changed files with 28 additions and 11 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4317,6 +4317,7 @@ dependencies = [
 "tokio",
 "tokio-rustls",
 "tower-service",
+ "webpki-roots 1.0.2",
 ]

 [[package]]
@@ -5622,7 +5623,7 @@ dependencies = [
 "soketto 0.8.1",
 "thiserror 1.0.69",
 "url",
- "webpki-roots",
+ "webpki-roots 0.25.4",
 ]

 [[package]]
@@ -13396,6 +13397,15 @@ version = "0.25.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1"

+[[package]]
+name = "webpki-roots"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "which"
 version = "4.4.2"
--- a/common/request/Cargo.toml
+++ b/common/request/Cargo.toml
@@ -31,5 +31,6 @@ base64ct = { version = "1", features = ["alloc"], optional = true }

 [features]
 tls = ["hyper-rustls"]
+webpki-roots = ["tls", "hyper-rustls/webpki-roots"]
 basic-auth = ["zeroize", "base64ct"]
 default = ["tls"]
--- a/common/request/src/lib.rs
+++ b/common/request/src/lib.rs
@@ -52,24 +52,30 @@ pub struct Client {
 }

 impl Client {
+  #[allow(clippy::unnecessary_wraps)]
  fn connector() -> Result<Connector, Error> {
    let mut res = HttpConnector::new();
    res.set_keepalive(Some(core::time::Duration::from_secs(60)));
    res.set_nodelay(true);
    res.set_reuse_address(true);
+
    #[cfg(feature = "tls")]
    res.enforce_http(false);
    #[cfg(feature = "tls")]
-    let res = HttpsConnectorBuilder::new()
-      .with_native_roots()
-      .map_err(|e| {
-        Error::ConnectionError(
-          format!("couldn't load system's SSL root certificates: {e:?}").into(),
-        )
-      })?
-      .https_or_http()
-      .enable_http1()
-      .wrap_connector(res);
+    let https = HttpsConnectorBuilder::new().with_native_roots();
+    #[cfg(all(feature = "tls", not(feature = "webpki-roots")))]
+    let https = https.map_err(|e| {
+      Error::ConnectionError(
+        format!("couldn't load system's SSL root certificates and webpki-roots unavilable: {e:?}")
+          .into(),
+      )
+    })?;
+    // Fallback to `webpki-roots` if present
+    #[cfg(all(feature = "tls", feature = "webpki-roots"))]
+    let https = https.unwrap_or(HttpsConnectorBuilder::new().with_webpki_roots());
+    #[cfg(feature = "tls")]
+    let res = https.https_or_http().enable_http1().wrap_connector(res);
+
    Ok(res)
  }