tustvold commented on PR #5030: URL: https://github.com/apache/arrow-rs/pull/5030#issuecomment-1792181851
So to check my understanding is correct, currently we enable `rustls-tls` which is equivalent to `rustls-tls-webpki-roots` which uses `webpki-roots`. If you then add `rustls-tls-native-roots` it will **also** include any system CA present, see [here](https://github.com/seanmonstar/reqwest/blob/50dbaf391087cfa951accc765126b4f5d017d8a3/src/async_impl/client.rs#L481). This PR is therefore only adding the ability to use feature flags to **only** use system roots. This feels like a less common requirement, but is definitely something we should permit. I wonder if as part of #5034 we could expose methods like [use_preconfigured_tls](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.use_preconfigured_tls). This would give downstreams full control of how they want to configure TLS should they so wish. Would this be sufficient? > If you wanna have a default, IMHO this should be "system" rather than "webpki" I don't disagree, this was an oversight on my part I enabled `rustls-tls` not realising it would override the system CA store, but I would really rather avoid a breaking change if we can avoid it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
