Skip to content

Commit 01a868f

Browse files
committed
Configure TLS trust roots for rustls clients
1 parent 23bbf3c commit 01a868f

13 files changed

Lines changed: 1797 additions & 2374 deletions

File tree

CLAUDE.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -350,6 +350,13 @@ let error_with_meta = ApiRateLimited { limit: 100, reset_at: 1234567890 }.build(
350350

351351
- Never build a new reqwest client from scratch. Use `rivet_pools::reqwest::client().await?` to access an existing reqwest client instance.
352352

353+
## TLS Trust Roots
354+
355+
- For rustls-based outbound TLS clients (`tokio-tungstenite`, `reqwest`), always enable BOTH `rustls-tls-native-roots` and `rustls-tls-webpki-roots` together so the crates build a union root store — operator-installed corporate CAs work via native, and empty native stores (Distroless / Cloud Run / Alpine without `ca-certificates`) fall through to the bundled Mozilla list.
356+
- Pinned in workspace `Cargo.toml` (`tokio-tungstenite`) and in `rivetkit-rust/packages/client/Cargo.toml` (`reqwest` + `tokio-tungstenite`). Never enable only one: native-only breaks on Distroless, webpki-only silently breaks corporate CAs.
357+
- Engine-internal HTTPS clients on `hyper-tls` / `native-tls` (workspace `reqwest`, ClickHouse pool, guard HTTP proxy) intentionally stay on OpenSSL — they run in operator-controlled containers and already honor the system trust store.
358+
- Bump `webpki-roots` periodically so the bundled Mozilla CA list does not go stale.
359+
353360
## Documentation
354361

355362
- When talking about "Rivet Actors" make sure to capitalize "Rivet Actor" as a proper noun and lowercase "actor" as a generic noun

Cargo.lock

Lines changed: 42 additions & 27 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,6 @@ members = [
134134
testcontainers = "0.24"
135135
thiserror = "1.0.64"
136136
tokio-cron-scheduler = "0.13.0"
137-
tokio-native-tls = "0.3.1"
138137
tokio-stream = "0.1.15"
139138
tokio-util = "0.7"
140139
tower = "0.5"
@@ -147,7 +146,7 @@ members = [
147146

148147
[workspace.dependencies.tokio-tungstenite]
149148
version = "0.26.0"
150-
features = [ "rustls-tls-native-roots" ]
149+
features = [ "rustls-tls-native-roots", "rustls-tls-webpki-roots" ]
151150

152151
[workspace.dependencies.vergen]
153152
version = "9.0.4"

engine/packages/pools/Cargo.toml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@ rivet-util.workspace = true
2121
serde.workspace = true
2222
tempfile.workspace = true
2323
thiserror.workspace = true
24-
tokio-native-tls.workspace = true
2524
tokio-util.workspace = true
2625
tokio.workspace = true
2726
tracing-logfmt.workspace = true

examples/sandbox/package.json

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

examples/sandbox/vite.config.ts

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)