Add rustls-tls-manual-roots feature to allow callers to specify roots

Now, callers have more control over the set of roots. Note that, due to cargo unification, other dependencies in the dependency tree might enable rustls-tls-webpki-roots or rustls-tls. This will affect connections initiated by code that explicitly enabled rustls-tls-manual-roots. So for now, the choice is done once per entire cargo dependency graph. If people want more precise control over things, they can add methods that allow controlling this on a per-connection level. Even if such methods are available, the *-manual-roots feature will still be helpful with eliminating the webpki-roots dependency for those cargo graphs where there is no unification.
2020-10-16 19:24:41 +02:00
parent 4fe07d81cf
commit 3ea9f92f24
9 changed files with 71 additions and 56 deletions
--- a/src/async_impl/client.rs
+++ b/src/async_impl/client.rs
@@ -1,6 +1,6 @@
 #[cfg(any(
    feature = "native-tls",
-    feature = "rustls-tls",
+    feature = "__rustls",
 ))]
 use std::any::Any;
 use std::convert::TryInto;
@@ -236,7 +236,7 @@ impl ClientBuilder {
                        config.local_address,
                        config.nodelay)
                },
-                #[cfg(feature = "rustls-tls")]
+                #[cfg(feature = "__rustls")]
                TlsBackend::BuiltRustls(conn) => {
                    Connector::new_rustls_tls(
                        http,
@@ -246,7 +246,7 @@ impl ClientBuilder {
                        config.local_address,
                        config.nodelay)
                },
-                #[cfg(feature = "rustls-tls")]
+                #[cfg(feature = "__rustls")]
                TlsBackend::Rustls => {
                    use crate::tls::NoVerifier;

@@ -256,6 +256,7 @@ impl ClientBuilder {
                    } else {
                        tls.set_protocols(&["h2".into(), "http/1.1".into()]);
                    }
+                    #[cfg(feature = "rustls-tls-webpki-roots")]
                    tls.root_store
                        .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);

@@ -283,7 +284,7 @@ impl ClientBuilder {
                },
                #[cfg(any(
                    feature = "native-tls",
-                    feature = "rustls-tls",
+                    feature = "__rustls",
                ))]
                TlsBackend::UnknownPreconfigured => {
                    return Err(crate::error::builder(
@@ -738,7 +739,7 @@ impl ClientBuilder {
    ///
    /// # Optional
    ///
-    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls`
+    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
    /// feature to be enabled.
    #[cfg(feature = "__tls")]
    pub fn add_root_certificate(mut self, cert: Certificate) -> ClientBuilder {
@@ -750,7 +751,7 @@ impl ClientBuilder {
    ///
    /// # Optional
    ///
-    /// This requires the optional `native-tls` or `rustls-tls` feature to be
+    /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
    /// enabled.
    #[cfg(feature = "__tls")]
    pub fn identity(mut self, identity: Identity) -> ClientBuilder {
@@ -795,7 +796,7 @@ impl ClientBuilder {
    ///
    /// # Optional
    ///
-    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls`
+    /// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
    /// feature to be enabled.
    #[cfg(feature = "__tls")]
    pub fn danger_accept_invalid_certs(mut self, accept_invalid_certs: bool) -> ClientBuilder {
@@ -824,8 +825,8 @@ impl ClientBuilder {
    ///
    /// # Optional
    ///
-    /// This requires the optional `rustls-tls` feature to be enabled.
-    #[cfg(feature = "rustls-tls")]
+    /// This requires the optional `rustls-tls(-...)` feature to be enabled.
+    #[cfg(feature = "__rustls")]
    pub fn use_rustls_tls(mut self) -> ClientBuilder {
        self.config.tls = TlsBackend::Rustls;
        self
@@ -848,10 +849,10 @@ impl ClientBuilder {
    /// # Optional
    ///
    /// This requires one of the optional features `native-tls` or
-    /// `rustls-tls` to be enabled.
+    /// `rustls-tls(-...)` to be enabled.
    #[cfg(any(
        feature = "native-tls",
-        feature = "rustls-tls",
+        feature = "__rustls",
    ))]
    pub fn use_preconfigured_tls(mut self, tls: impl Any) -> ClientBuilder {
        let mut tls = Some(tls);
@@ -864,7 +865,7 @@ impl ClientBuilder {
                return self;
            }
        }
-        #[cfg(feature = "rustls-tls")]
+        #[cfg(feature = "__rustls")]
        {
            if let Some(conn) = (&mut tls as &mut dyn Any).downcast_mut::<Option<rustls::ClientConfig>>() {

@@ -1212,7 +1213,7 @@ impl Config {
            }
        }

-        #[cfg(all(feature = "native-tls-crate", feature = "rustls-tls"))]
+        #[cfg(all(feature = "native-tls-crate", feature = "__rustls"))]
        {
            f.field("tls_backend", &self.tls);
        }