From 705e68ec658e4a11630fbc4371d0b53b1a76a9e4 Mon Sep 17 00:00:00 2001 From: SilverMira <66930495+SilverMira@users.noreply.github.com> Date: Thu, 5 Dec 2024 21:11:40 +0800 Subject: [PATCH] feat: use webpki as rustls roots on non-desktop platforms (#1402) * feat: use webpki as rustls roots on non-desktop platforms Silently switch over to using `rustls-webpki` when building for target_os that is not Windows/Linux/Mac because `rustls-native-certs` doesn't support them. Ideally we should use `rustls-platform-verifier` as it's now the recommended crate even on `rustls-native-certs` repository, since it chooses the right implementation for the platform. But currently it doesn't seem like `hyper-proxy2` or `tokio-tungstenite` doesn't support them yet. * Fix "no native root CA certificates found" (#1399) --- CHANGELOG.md | 3 +++ Cargo.lock | 15 ++++++++++++++- core/Cargo.toml | 15 ++++++++++++--- core/src/http_client.rs | 16 ++++++++++------ 4 files changed, 39 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82bfb094..60d1eeaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed +- [core] Fix "no native root CA certificates found" on platforms unsupported + by `rustls-native-certs`. + ### Removed ## [0.6.0] - 2024-10-30 diff --git a/Cargo.lock b/Cargo.lock index 3de6c41c..6944c96d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1534,6 +1534,7 @@ dependencies = [ "tokio-rustls 0.25.0", "tower-service", "webpki", + "webpki-roots 0.26.7", ] [[package]] @@ -1567,6 +1568,7 @@ dependencies = [ "tokio", "tokio-rustls 0.25.0", "tower-service", + "webpki-roots 0.26.7", ] [[package]] @@ -1586,6 +1588,7 @@ dependencies = [ "tokio", "tokio-rustls 0.26.0", "tower-service", + "webpki-roots 0.26.7", ] [[package]] @@ -2900,7 +2903,7 @@ dependencies = [ "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots", + "webpki-roots 0.25.4", "winreg", ] @@ -3726,6 +3729,7 @@ dependencies = [ "tokio", "tokio-rustls 0.26.0", "tungstenite", + "webpki-roots 0.26.7", ] [[package]] @@ -4096,6 +4100,15 @@ version = "0.25.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" +[[package]] +name = "webpki-roots" +version = "0.26.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5d642ff16b7e79272ae451b7322067cdc17cadf68c23264be9d94a32319efe7e" +dependencies = [ + "rustls-pki-types", +] + [[package]] name = "which" version = "4.4.2" diff --git a/core/Cargo.toml b/core/Cargo.toml index 994f1ab2..b76e6b8a 100644 --- a/core/Cargo.toml +++ b/core/Cargo.toml @@ -32,8 +32,6 @@ http = "1.0" hyper = { version = "1.3", features = ["http1", "http2"] } hyper-util = { version = "0.1", features = ["client"] } http-body-util = "0.1.1" -hyper-proxy2 = { version = "0.1", default-features = false, features = ["rustls"] } -hyper-rustls = { version = "0.27.2", features = ["http2"] } log = "0.4" nonzero_ext = "0.3" num-bigint = { version = "0.4", features = ["rand"] } @@ -58,12 +56,23 @@ thiserror = "1.0" time = { version = "0.3", features = ["formatting", "parsing"] } tokio = { version = "1", features = ["io-util", "macros", "net", "parking_lot", "rt", "sync", "time"] } tokio-stream = "0.1" -tokio-tungstenite = { version = "0.24", default-features = false, features = ["rustls-tls-native-roots"] } tokio-util = { version = "0.7", features = ["codec"] } url = "2" uuid = { version = "1", default-features = false, features = ["fast-rng", "v4"] } data-encoding = "2.5" +# Eventually, this should use rustls-platform-verifier to unify the platform-specific dependencies +# but currently, hyper-proxy2 and tokio-tungstenite do not support it. +[target.'cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))'.dependencies] +hyper-proxy2 = { version = "0.1", default-features = false, features = ["rustls"] } +hyper-rustls = { version = "0.27.2", default-features = false, features = ["aws-lc-rs", "http1", "logging", "tls12", "native-tokio", "http2"] } +tokio-tungstenite = { version = "0.24", default-features = false, features = ["rustls-tls-native-roots"] } + +[target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))'.dependencies] +hyper-proxy2 = { version = "0.1", default-features = false, features = ["rustls-webpki"] } +hyper-rustls = { version = "0.27.2", default-features = false, features = ["aws-lc-rs", "http1", "logging", "tls12", "webpki-tokio", "http2"] } +tokio-tungstenite = { version = "0.24", default-features = false, features = ["rustls-tls-webpki-roots"] } + [build-dependencies] rand = "0.8" vergen-gitcl = { version = "1.0.0", default-features = false, features = ["build"] } diff --git a/core/src/http_client.rs b/core/src/http_client.rs index 8645d3a3..88d41c92 100644 --- a/core/src/http_client.rs +++ b/core/src/http_client.rs @@ -145,12 +145,16 @@ impl HttpClient { fn try_create_hyper_client(proxy_url: Option<&Url>) -> Result { // configuring TLS is expensive and should be done once per process - let https_connector = HttpsConnectorBuilder::new() - .with_native_roots()? - .https_or_http() - .enable_http1() - .enable_http2() - .build(); + + // On supported platforms, use native roots + #[cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))] + let tls = HttpsConnectorBuilder::new().with_native_roots()?; + + // Otherwise, use webpki roots + #[cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))] + let tls = HttpsConnectorBuilder::new().with_webpki_roots(); + + let https_connector = tls.https_or_http().enable_http1().enable_http2().build(); // When not using a proxy a dummy proxy is configured that will not intercept any traffic. // This prevents needing to carry the Client Connector generics through the whole project