Properly use rustls-platform-verifier with reqwest

Cargo.lock

@@ -889,12 +889,6 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
-[[package]]
-name = "cfg_aliases"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
-
 [[package]]
 name = "chacha20"
 version = "0.9.1"
@@ -2042,10 +2036,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
 dependencies = [
  "cfg-if",
- "js-sys",
  "libc",
  "wasi 0.11.0+wasi-snapshot-preview1",
- "wasm-bindgen",
 ]
 
 [[package]]
@@ -2055,11 +2047,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73fea8450eea4bac3940448fb7ae50d91f034f941199fcd9d909a5a07aa455f0"
 dependencies = [
  "cfg-if",
- "js-sys",
  "libc",
  "r-efi",
  "wasi 0.14.2+wasi-0.2.4",
- "wasm-bindgen",
 ]
 
 [[package]]
@@ -2388,7 +2378,7 @@ dependencies = [
  "libc",
  "percent-encoding",
  "pin-project-lite",
- "socket2 0.6.0",
+ "socket2",
  "tokio",
  "tower-service",
  "tracing",
@@ -3037,7 +3027,7 @@ dependencies = [
  "quoted_printable",
  "rustls",
  "rustls-platform-verifier",
- "socket2 0.6.0",
+ "socket2",
  "tokio",
  "tokio-rustls",
  "tracing",
@@ -3057,7 +3047,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
 dependencies = [
  "cfg-if",
- "windows-targets 0.48.5",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -3559,7 +3549,7 @@ dependencies = [
  "mas-context",
  "pin-project-lite",
  "rustls-pemfile",
- "socket2 0.6.0",
+ "socket2",
  "thiserror 2.0.12",
  "tokio",
  "tokio-rustls",
@@ -4832,60 +4822,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "quinn"
-version = "0.11.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3bd15a6f2967aef83887dcb9fec0014580467e33720d073560cf015a5683012"
-dependencies = [
- "bytes",
- "cfg_aliases",
- "pin-project-lite",
- "quinn-proto",
- "quinn-udp",
- "rustc-hash 2.1.1",
- "rustls",
- "socket2 0.5.10",
- "thiserror 2.0.12",
- "tokio",
- "tracing",
- "web-time",
-]
-
-[[package]]
-name = "quinn-proto"
-version = "0.11.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b820744eb4dc9b57a3398183639c511b5a26d2ed702cedd3febaa1393caa22cc"
-dependencies = [
- "bytes",
- "getrandom 0.3.2",
- "rand 0.9.0",
- "ring",
- "rustc-hash 2.1.1",
- "rustls",
- "rustls-pki-types",
- "slab",
- "thiserror 2.0.12",
- "tinyvec",
- "tracing",
- "web-time",
-]
-
-[[package]]
-name = "quinn-udp"
-version = "0.5.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "541d0f57c6ec747a90738a52741d3221f7960e8ac2f0ff4b1a63680e033b4ab5"
-dependencies = [
- "cfg_aliases",
- "libc",
- "once_cell",
- "socket2 0.5.10",
- "tracing",
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "quote"
 version = "1.0.40"
@@ -5107,7 +5043,6 @@ dependencies = [
  "mime",
  "percent-encoding",
  "pin-project-lite",
- "quinn",
  "rustls",
  "rustls-pki-types",
  "serde",
@@ -5287,14 +5222,13 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.30"
+version = "0.23.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "069a8df149a16b1a12dcc31497c3396a173844be3cac4bd40c9e7671fef96671"
+checksum = "c0ebcbd2f03de0fc1122ad9bb24b127a5a6cd51d72604a3f3c50ac459762b6cc"
 dependencies = [
  "aws-lc-rs",
  "log",
  "once_cell",
- "ring",
  "rustls-pki-types",
  "rustls-webpki",
  "subtle",
@@ -5328,7 +5262,6 @@ version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79"
 dependencies = [
- "web-time",
  "zeroize",
 ]
 
@@ -5350,7 +5283,7 @@ dependencies = [
  "security-framework",
  "security-framework-sys",
  "webpki-root-certs",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -5923,16 +5856,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "socket2"
-version = "0.5.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
-dependencies = [
- "libc",
- "windows-sys 0.52.0",
-]
-
 [[package]]
 name = "socket2"
 version = "0.6.0"
@@ -6496,7 +6419,7 @@ dependencies = [
  "pin-project-lite",
  "signal-hook-registry",
  "slab",
- "socket2 0.6.0",
+ "socket2",
  "tokio-macros",
  "windows-sys 0.59.0",
 ]

Cargo.toml

@@ -501,7 +501,13 @@ version = "1.11.1"
 [workspace.dependencies.reqwest]
 version = "0.12.22"
 default-features = false
-features = ["http2", "rustls-tls-manual-roots", "charset", "json", "socks"]
+features = [
+    "http2",
+    "rustls-tls-manual-roots-no-provider",
+    "charset",
+    "json",
+    "socks",
+]
 
 # RSA cryptography
 [workspace.dependencies.rsa]
@@ -518,7 +524,7 @@ version = "0.15.4"
 
 # TLS stack
 [workspace.dependencies.rustls]
-version = "0.23.30"
+version = "0.23.31"
 
 # PEM parsing for rustls
 [workspace.dependencies.rustls-pemfile]

crates/http/src/reqwest.rs

@@ -91,7 +91,13 @@ impl reqwest::dns::Resolve for TracingResolver {
 #[must_use]
 pub fn client() -> reqwest::Client {
     // TODO: can/should we limit in-flight requests?
-    let tls_config = rustls::ClientConfig::with_platform_verifier();
+
+    // The explicit typing here is because `use_preconfigured_tls` accepts
+    // `Any`, but wants a `ClientConfig` under the hood. This helps us detect
+    // breaking changes in the rustls-platform-verifier API.
+    let tls_config: rustls::ClientConfig =
+        rustls::ClientConfig::with_platform_verifier().expect("failed to create TLS config");
+
     reqwest::Client::builder()
         .dns_resolver(Arc::new(TracingResolver::new()))
         .use_preconfigured_tls(tls_config)

deny.toml

@@ -64,7 +64,6 @@ skip = [
     { name = "indexmap", version = "1.9.3" },        # schemars depends on this old version
     { name = "hashbrown", version = "0.12.3" },      # schemars -> indexmap depends on this old version
     { name = "hashbrown", version = "0.14.5" },      # a few crates depend on this old version
-    { name = "socket2", version = "0.5.10" },        # a few crates depend on socket2 0.5
     # a few dependencies depend on the 1.x version of thiserror
     { name = "thiserror", version = "1.0.69" },
     { name = "thiserror-impl", version = "1.0.69" },