native-tls - replace or add?

[tessus]

Does the feature native-tls replace the webpki-roots trust store, or does it add all "local" CAs to the ones from webpki?

I think the best solution would be that this option does both: use a pre-configured root store, and read the OS's certificates. (mostly for self-signed certs)

Is this possible?

[algesten]

It would replace the webpki-roots.

Specifically, this crate uses SChannel on Windows (via the schannel crate), Secure Transport on macOS (via the security-framework crate), and OpenSSL (via the openssl crate) on all other platforms.

So it would use whatever method schannel, secutity-framework or openssl respectively do to get their root certs.

[tessus]

Thanks for the answer.

[jsha]

Yeah, native-tls will always use the system root store by default (though you can configure custom roots with it if you want).

It sounds like what you want may be to use rustls, and for building the root store use both rustls-native-certs (which tries to read the system root store, with some caveats) and webpki-roots (which bundles a set of roots at build time). You can load both sets of roots into a single trust store.

There are some tradeoffs to each approach, which are probably too long to get into here, but if what you want is to make sure that you trust a basic set of roots no matter what system you are deployed on, and also trust any locally trusted roots, that would accomplish what you want.

[tessus]

Also thanks for your answer.

There are some tradeoffs to each approach, which are probably too long to get into here, but if what you want is to make sure that you trust a basic set of roots no matter what system you are deployed on, and also trust any locally trusted roots, that would accomplish what you want.

To be honest, this should be the default without having to code anything yourself. Here is my reasoning:

Most OSes keep an updated root store, which makes it better to use the OS trust store than the one bundled during compile time.
However, it doesn't hurt to add a proper default at compile time. There might be systems out there that do not come with a TLS stack or they do not have it installed by default. Some systems split stack and root certs in 2 packages without a dependency.
To put it bluntly, it would be a reasonbly "safe" default.

Not using native-tls means that I cannot use self-signed certs unless I dabble in the code. Which to be honest should not be necessary. While I am against self-signed certs for publicly facing services, they are perfectly valid for home/company networks. Telling people that a self-signed cert is not safe or trustworthy (especially if everything is setup properly) is one of the lies IT came up with so that others can make a lot of money (which now is at least somewhat mitigated by LetsEncrypt). If you are bored you can read my rant on The NET::ERR CERT VALIDITY TOO LONG idiocracy ;-).