Consolidate TLS options with rustls-platform-verifier #2885
Description
As part of moving to have rustls as default in reqwest (#2723), I plan to also change the default verifier, and consolidate the existing TLS options.
The goal is to provide the "best" default, and be less surprising if people want other options.
tls_certs_merge(certs)will try to add the certificates to be used with the verifier, and if that is not possible, the builder will return an error.tls_certs_only(certs)will only use the provided certificates, and not use the native verifier, instead using therustls::client::WebPkiServerVerifier.
We'll no longer provide a crate feature to smush in rustls_native_certs, nor webpki. For anyone still wanting that, they can call tls_certs_only(webpki_certs). It also removes the need to have tls_built_in_root_certs(bool) and the derivatives.
This does mean that the CRL support can only be used with tls_certs_only.
Danger Accept Invalid Hostnames?
I have one outstanding feature that I haven't yet determined how to support in this new rustls-platform-verifier world: accept_invalid_hostnames.
The similar accept_invalid_certs is quite simple, it mints assertion()s for everything.
But the current IgnoreHostname verifier wraps a root store, and otherwise verifies the certificates besides the hostnames. I'm not sure how best to support this with the platform-verifier. If it's not possible, it would mean enabling that feature couldn't easily support native certs.
Soft-deprecations for renames
While doing this, many of the options will be renamed to be more discoverable with autocomplete. Since this is entirely meant to improve the experience, the old names will continue to exist at least for another major release. They'll just be documented as deprecated, and possibly we can add a deprecated crate feature that will turn on deprecation warnings.
For example:
| Before | After |
|---|---|
add_root_cert |
tls_merge_certs |
use_native_tls |
tls_backend_native |
min_tls_version |
tls_version_min |