feat: use webpki as rustls roots on non-desktop platforms

Silently switch over to using `rustls-webpki` when building for target_os that is not Windows/Linux/Mac because `rustls-native-certs` doesn't support them. Ideally we should use `rustls-platform-verifier` as it's now the recommended crate even on `rustls-native-certs` repository, since it chooses the right implementation for the platform. But currently it doesn't seem like `hyper-proxy2` or `tokio-tungstenite` doesn't support them yet.
librespot-org · Nov 25, 2024 · 9d1050c · 9d1050c
1 parent 82076e8
commit 9d1050c
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 10 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/core/Cargo.toml b/core/Cargo.toml
@@ -32,8 +32,6 @@ http = "1.0"
 hyper = { version = "1.3", features = ["http1", "http2"] }
 hyper-util = { version = "0.1", features = ["client"] }
 http-body-util = "0.1.1"
-hyper-proxy2 = { version = "0.1", default-features = false, features = ["rustls"] }
-hyper-rustls = { version = "0.27.2", features = ["http2"] }
 log = "0.4"
 nonzero_ext = "0.3"
 num-bigint = { version = "0.4", features = ["rand"] }
@@ -58,12 +56,23 @@ thiserror = "1.0"
 time = { version = "0.3", features = ["formatting", "parsing"] }
 tokio = { version = "1", features = ["io-util", "macros", "net", "parking_lot", "rt", "sync", "time"] }
 tokio-stream = "0.1"
-tokio-tungstenite = { version = "0.24", default-features = false, features = ["rustls-tls-native-roots"] }
 tokio-util = { version = "0.7", features = ["codec"] }
 url = "2"
 uuid = { version = "1", default-features = false, features = ["fast-rng", "v4"] }
 data-encoding = "2.5"
 
+# Eventually, this should use rustls-platform-verifier to unify the platform-specific dependencies
+# but currently, hyper-proxy2 and tokio-tungstenite do not support it.
+[target.'cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))'.dependencies]
+hyper-proxy2 = { version = "0.1", default-features = false, features = ["rustls"] }
+hyper-rustls = { version = "0.27.2", default-features = false, features = ["aws-lc-rs", "http1", "logging", "tls12", "native-tokio", "http2"] }
+tokio-tungstenite = { version = "0.24", default-features = false, features = ["rustls-tls-native-roots"] }
+
+[target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))'.dependencies]
+hyper-proxy2 = { version = "0.1", default-features = false, features = ["rustls-webpki"] }
+hyper-rustls = { version = "0.27.2", default-features = false, features = ["aws-lc-rs", "http1", "logging", "tls12", "webpki-tokio", "http2"] }
+tokio-tungstenite = { version = "0.24", default-features = false, features = ["rustls-tls-webpki-roots"] }
+
 [build-dependencies]
 rand = "0.8"
 vergen-gitcl = { version = "1.0.0", default-features = false, features = ["build"] }

diff --git a/core/src/http_client.rs b/core/src/http_client.rs
@@ -145,12 +145,16 @@ impl HttpClient {
 
     fn try_create_hyper_client(proxy_url: Option<&Url>) -> Result<HyperClient, Error> {
         // configuring TLS is expensive and should be done once per process
-        let https_connector = HttpsConnectorBuilder::new()
-            .with_native_roots()?
-            .https_or_http()
-            .enable_http1()
-            .enable_http2()
-            .build();
+
+        // On supported platforms, use native roots
+        #[cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))]
+        let tls = HttpsConnectorBuilder::new().with_native_roots()?;
+
+        // Otherwise, use webpki roots
+        #[cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))]
+        let tls = HttpsConnectorBuilder::new().with_webpki_roots();
+
+        let https_connector = tls.https_or_http().enable_http1().enable_http2().build();
 
         // When not using a proxy a dummy proxy is configured that will not intercept any traffic.
         // This prevents needing to carry the Client Connector generics through the whole project