refactor: move from native to webpki certs on all platforms

roderickvd · roderickvd · commit 056d125cb263 · 2025-08-13T19:05:52.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/core/Cargo.toml b/core/Cargo.toml
@@ -77,29 +77,8 @@ uuid = { version = "1", default-features = false, features = ["v4"] }
 data-encoding = "2.9"
 flate2 = "1.1"
 protobuf-json-mapping = "3.7"
-rustls = { version = "0.23", default-features = false, features = [
-    "ring",
-] }
-
-# Eventually, this should use rustls-platform-verifier to unify the platform-specific dependencies
-# but currently, hyper-proxy2 and tokio-tungstenite do not support it.
-[target.'cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))'.dependencies]
-hyper-proxy2 = { version = "0.1", default-features = false, features = [
-    "rustls",
-] }
-hyper-rustls = { version = "0.27", default-features = false, features = [
-    "ring",
-    "http1",
-    "logging",
-    "tls12",
-    "native-tokio",
-    "http2",
-] }
-tokio-tungstenite = { version = "0.27", default-features = false, features = [
-    "rustls-tls-native-roots",
-] }
+rustls = { version = "0.23", default-features = false, features = ["ring"] }
 
-[target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))'.dependencies]
 hyper-proxy2 = { version = "0.1", default-features = false, features = [
     "rustls-webpki",
 ] }
diff --git a/core/src/http_client.rs b/core/src/http_client.rs
@@ -151,14 +151,7 @@ impl HttpClient {
                 Error::internal(format!("unable to install default crypto provider: {e:?}"))
             });
 
-        // On supported platforms, use native roots
-        #[cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))]
-        let tls = HttpsConnectorBuilder::new().with_native_roots()?;
-
-        // Otherwise, use webpki roots
-        #[cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))]
         let tls = HttpsConnectorBuilder::new().with_webpki_roots();
-
         let https_connector = tls.https_or_http().enable_http1().enable_http2().build();
 
         // When not using a proxy a dummy proxy is configured that will not intercept any traffic.
diff --git a/oauth/Cargo.toml b/oauth/Cargo.toml
@@ -11,7 +11,12 @@ edition = "2021"
 [dependencies]
 log = "0.4"
 oauth2 = { version = "5.0", features = ["reqwest", "reqwest-blocking"] }
-reqwest = { version = "0.12", features = ["blocking"] }
+reqwest = { version = "0.12", default-features = false, features = [
+    "blocking",
+    "http2",
+    "rustls-tls",
+    "system-proxy",
+] }
 open = "5.3"
 thiserror = "2"
 url = "2.5"
