diff --git a/Cargo.lock b/Cargo.lock index 901a6e46..2a7139ed 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2581,9 +2581,9 @@ dependencies = [ [[package]] name = "rustls-native-certs" -version = "0.7.3" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5" +checksum = "fcaf18a4f2be7326cd874a5fa579fae794320a0f388d365dca7e480e55f83f8a" dependencies = [ "openssl-probe", "rustls-pemfile", diff --git a/Cargo.toml b/Cargo.toml index 96224254..d73da726 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -54,7 +54,7 @@ native-tls = { version = "0.2.12", features = ["alpn"], optional = true } tokio-native-tls = { version = "0.3.1", optional = true } rustls = { version = "0.23.11", optional = true } -rustls-native-certs = { version = "0.7.1", optional = true } +rustls-native-certs = { version = "0.8.0", optional = true } tokio-rustls = { version = "0.26.0", optional = true } rustls-pki-types = { version = "1.7.0", optional = true } diff --git a/src/client.rs b/src/client.rs index cb766453..14540b69 100644 --- a/src/client.rs +++ b/src/client.rs @@ -176,6 +176,8 @@ pub struct Client { pub unix_socket: Option, #[cfg(feature = "vsock")] pub vsock_addr: Option, + #[cfg(feature = "rustls")] + pub root_cert_store: Arc, } struct ClientStateHttp1 { @@ -411,12 +413,8 @@ impl Client { let stream = tokio::net::TcpStream::connect(addr).await?; stream.set_nodelay(true)?; - let mut root_cert_store = rustls::RootCertStore::empty(); - for cert in rustls_native_certs::load_native_certs()? { - root_cert_store.add(cert).ok(); // ignore error - } let mut config = rustls::ClientConfig::builder() - .with_root_certificates(root_cert_store) + .with_root_certificates(self.root_cert_store.clone()) .with_no_client_auth(); if self.insecure { config diff --git a/src/main.rs b/src/main.rs index ea01d5a7..9616cb91 100644 --- a/src/main.rs +++ b/src/main.rs @@ -469,6 +469,17 @@ async fn main() -> anyhow::Result<()> { unix_socket: opts.unix_socket, #[cfg(feature = "vsock")] vsock_addr: opts.vsock_addr.map(|v| v.0), + #[cfg(feature = "rustls")] + // Cache rustls_native_certs::load_native_certs() because it's expensive. + root_cert_store: { + let mut root_cert_store = rustls::RootCertStore::empty(); + for cert in + rustls_native_certs::load_native_certs().expect("could not load platform certs") + { + root_cert_store.add(cert).unwrap(); + } + std::sync::Arc::new(root_cert_store) + }, }; if !opts.no_pre_lookup {