reqwest icon indicating copy to clipboard operation
reqwest copied to clipboard
verified publisher icon seanmonstar

Consolidate TLS options with rustls-platform-verifier

Open seanmonstar opened this issue 1 month ago • 2 comments

As part of moving to have rustls as default in reqwest (#2723), I plan to also change the default verifier, and consolidate the existing TLS options.

The goal is to provide the "best" default, and be less surprising if people want other options.

  • tls_certs_merge(certs) will try to add the certificates to be used with the verifier, and if that is not possible, the builder will return an error.
  • tls_certs_only(certs) will only use the provided certificates, and not use the native verifier, instead using the rustls::client::WebPkiServerVerifier.

We'll no longer provide a crate feature to smush in rustls_native_certs, nor webpki. For anyone still wanting that, they can call tls_certs_only(webpki_certs). It also removes the need to have tls_built_in_root_certs(bool) and the derivatives.

This does mean that the CRL support can only be used with tls_certs_only.

Danger Accept Invalid Hostnames?

I have one outstanding feature that I haven't yet determined how to support in this new rustls-platform-verifier world: accept_invalid_hostnames.

The similar accept_invalid_certs is quite simple, it mints assertion()s for everything.

But the current IgnoreHostname verifier wraps a root store, and otherwise verifies the certificates besides the hostnames. I'm not sure how best to support this with the platform-verifier. If it's not possible, it would mean enabling that feature couldn't easily support native certs.

Soft-deprecations for renames

While doing this, many of the options will be renamed to be more discoverable with autocomplete. Since this is entirely meant to improve the experience, the old names will continue to exist at least for another major release. They'll just be documented as deprecated, and possibly we can add a deprecated crate feature that will turn on deprecation warnings.

For example:

Before After
add_root_cert tls_merge_certs
use_native_tls tls_backend_native
min_tls_version tls_version_min

seanmonstar avatar Dec 12 '25 16:12 seanmonstar

@djc @ctz @cpu do any of you have a recommendation for the one outstanding question of support danger_accept_invalid_hostnames() while using the rustls-platform-verifier?

seanmonstar avatar Dec 12 '25 16:12 seanmonstar

In general we're suspicious of the use cases for accepting invalid hostnames while still verifying the certificate chain. Suggest that you make use of the platform verifier mutually exclusive with the acceptance of invalid hostnames. (Personally, the use of webpki-roots seems more valuable/sane than the acceptance of invalid hostnames.)

djc avatar Dec 14 '25 10:12 djc