Expand description
Shared TLS trust configuration for the HTTP clients.
By default reqwest’s rustls backend trusts only the bundled webpki root
set, which ignores any CA the host operating system trusts. Behind a
TLS-intercepting proxy (common in corporate networks) the proxy presents a
certificate signed by an org root CA that lives in the OS trust store but
not in webpki, so the handshake fails with UnknownIssuer.
TlsConfig::apply fixes this by assembling the trust anchors explicitly:
- the OS / system trust store (via
rustls-native-certs), so org root CAs — including proxy-injected ones — are trusted; - the bundled webpki roots, but only as a fallback when the OS store yields nothing usable;
- any certs in
SSL_CERT_FILE, if it is set and readable; - any explicit
--ca-certPEM bundles.
--insecure (danger_accept_invalid_certs) is a strictly opt-in last
resort: it disables verification entirely and prints a loud warning.
Structs§
- TlsConfig
- How an HTTP client should establish TLS trust.