fix: rustls-tls features to support certificate stores (#1542)

Add separate features for native system roots and Mozilla webpki roots. Update documentation and build configs to reflect new options.
2025-10-03 01:39:28 +02:00 · 2025-08-20 11:31:13 +02:00 · 2025-08-20 11:31:13 +02:00 · 78ce118d32
commit 78ce118d32
parent 0a4969ffe2
15 changed files with 126 additions and 79 deletions
--- a/core/Cargo.toml
+++ b/core/Cargo.toml
@ -21,12 +21,23 @@ native-tls = [
    "librespot-oauth/native-tls",
    "tokio-tungstenite/native-tls",
 ]
-rustls-tls = [
-    "dep:hyper-rustls",
+rustls-tls-native-roots = [
+    "__rustls",
    "hyper-proxy2/rustls",
-    "librespot-oauth/rustls-tls",
-    "tokio-tungstenite/__rustls-tls",
+    "hyper-rustls/native-tokio",
+    "librespot-oauth/rustls-tls-native-roots",
+    "tokio-tungstenite/rustls-tls-native-roots",
 ]
+rustls-tls-webpki-roots = [
+    "__rustls",
+    "hyper-proxy2/rustls-webpki",
+    "hyper-rustls/webpki-tokio",
+    "librespot-oauth/rustls-tls-webpki-roots",
+    "tokio-tungstenite/rustls-tls-webpki-roots",
+]
+
+# Internal features - these are not meant to be used by end users
+__rustls = []

 [dependencies]
 librespot-oauth.workspace = true
@ -60,8 +71,6 @@ hyper-rustls = { version = "0.27", default-features = false, features = [
    "http1",
    "http2",
    "ring",
-    "rustls-platform-verifier",
-    "tls12",
 ], optional = true }
 hyper-tls = { version = "0.6", optional = true }
 hyper-util = { version = "0.1", default-features = false, features = [
--- a/core/src/http_client.rs
+++ b/core/src/http_client.rs
@ -22,9 +22,9 @@ use parking_lot::Mutex;
 use thiserror::Error;
 use url::Url;

-#[cfg(all(feature = "rustls-tls", not(feature = "native-tls")))]
+#[cfg(all(feature = "__rustls", not(feature = "native-tls")))]
 use hyper_rustls::{HttpsConnector, HttpsConnectorBuilder};
-#[cfg(all(feature = "native-tls", not(feature = "rustls-tls")))]
+#[cfg(all(feature = "native-tls", not(feature = "__rustls")))]
 use hyper_tls::HttpsConnector;

 use crate::{
@ -150,13 +150,16 @@ impl HttpClient {
    fn try_create_hyper_client(proxy_url: Option<&Url>) -> Result<HyperClient, Error> {
        // configuring TLS is expensive and should be done once per process

-        #[cfg(all(feature = "rustls-tls", not(feature = "native-tls")))]
+        #[cfg(all(feature = "__rustls", not(feature = "native-tls")))]
        let https_connector = {
-            let tls = HttpsConnectorBuilder::new().with_platform_verifier();
+            #[cfg(feature = "rustls-tls-native-roots")]
+            let tls = HttpsConnectorBuilder::new().with_native_roots()?;
+            #[cfg(feature = "rustls-tls-webpki-roots")]
+            let tls = HttpsConnectorBuilder::new().with_webpki_roots();
            tls.https_or_http().enable_http1().enable_http2().build()
        };

-        #[cfg(all(feature = "native-tls", not(feature = "rustls-tls")))]
+        #[cfg(all(feature = "native-tls", not(feature = "__rustls")))]
        let https_connector = HttpsConnector::new();

        // When not using a proxy a dummy proxy is configured that will not intercept any traffic.