Avoid webpki-roots as a default dependency when tokio-rustls is used
briansmith opened this issue · 5 comments
I suggest that when the user enables tokio-rustls that no default ClientConfig for Rustls be used, and in particular no use of webpki-roots is used. webpki-roots is rarely the right choice on most platforms, and also there are users (the private projects I work on) that want to ensure that webpki-roots isn't used; ideally it wouldn't appear in our Cargo.lock files at all.
Concretely, I suggest the following change, which isn't backward-compatible: Either remove the tokio::connect_async implementation used when the tokio-rustls feature is enabled, or only expose it when a tokio-rustls-webpki-roots feature is enabled. In the latter case, the webpki-roots dependency should be conditioned on the tokio-rustls-webpki-roots flag.
What would be an alternative to webpki-roots, and why do you want to avoid using it in your projects?
The main reason for adding in all these TLS implementations is exactly the connect_async function and its various variants. Without it there's not much added by the tokio-rustls feature, and you can get basically the same behaviour if you don't enable the feature, do the TLS connection yourself and then only pass the AsyncRead+AsyncWrite to async-tungstenite.
webpki-roots is undesirable most of the times because it does not use the system certificates (although some users may want this behaviour to have the certificates vendored). See https://github.com/rustls/rustls-native-certs#should-i-use-this-or-webpki-roots. I suggest making two features; one that uses webpki-roots and one that uses rustls-native-certs.
That makes sense to me, yes. If someone wants to make a PR, please go ahead :)
I can make a PR to implement a tokio-rustls-webpki-roots and a tokio-rustls-native-certs feature. (I already had to do TLS connection myself to not use webpki-roots on https://github.com/harmony-development/hrpc-rs/blob/master/hrpc/src/client.rs#L148).
Thanks!