Skip to content

Commit ae335c1

Browse files
committed
Configure TLS trust roots for rustls clients
1 parent 604dc75 commit ae335c1

13 files changed

Lines changed: 1797 additions & 2311 deletions

File tree

CLAUDE.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -361,6 +361,13 @@ let error_with_meta = ApiRateLimited { limit: 100, reset_at: 1234567890 }.build(
361361

362362
- Never build a new reqwest client from scratch. Use `rivet_pools::reqwest::client().await?` to access an existing reqwest client instance.
363363

364+
## TLS Trust Roots
365+
366+
- For rustls-based outbound TLS clients (`tokio-tungstenite`, `reqwest`), always enable BOTH `rustls-tls-native-roots` and `rustls-tls-webpki-roots` together so the crates build a union root store — operator-installed corporate CAs work via native, and empty native stores (Distroless / Cloud Run / Alpine without `ca-certificates`) fall through to the bundled Mozilla list.
367+
- Pinned in workspace `Cargo.toml` (`tokio-tungstenite`) and in `rivetkit-rust/packages/client/Cargo.toml` (`reqwest` + `tokio-tungstenite`). Never enable only one: native-only breaks on Distroless, webpki-only silently breaks corporate CAs.
368+
- Engine-internal HTTPS clients on `hyper-tls` / `native-tls` (workspace `reqwest`, ClickHouse pool, guard HTTP proxy) intentionally stay on OpenSSL — they run in operator-controlled containers and already honor the system trust store.
369+
- Bump `webpki-roots` periodically so the bundled Mozilla CA list does not go stale.
370+
364371
## Documentation
365372

366373
- When talking about "Rivet Actors" make sure to capitalize "Rivet Actor" as a proper noun and lowercase "actor" as a generic noun

Cargo.lock

Lines changed: 42 additions & 27 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,6 @@ members = [
135135
testcontainers = "0.24"
136136
thiserror = "1.0.64"
137137
tokio-cron-scheduler = "0.13.0"
138-
tokio-native-tls = "0.3.1"
139138
tokio-stream = "0.1.15"
140139
tokio-util = "0.7"
141140
tower = "0.5"
@@ -148,7 +147,7 @@ members = [
148147

149148
[workspace.dependencies.tokio-tungstenite]
150149
version = "0.26.0"
151-
features = [ "rustls-tls-native-roots" ]
150+
features = [ "rustls-tls-native-roots", "rustls-tls-webpki-roots" ]
152151

153152
[workspace.dependencies.vergen]
154153
version = "9.0.4"

engine/packages/pools/Cargo.toml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@ rivet-util.workspace = true
2121
serde.workspace = true
2222
tempfile.workspace = true
2323
thiserror.workspace = true
24-
tokio-native-tls.workspace = true
2524
tokio-util.workspace = true
2625
tokio.workspace = true
2726
tracing-logfmt.workspace = true

examples/sandbox/package.json

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

examples/sandbox/vite.config.ts

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-lock.yaml

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)