Configure TLS at runtime

[niklasmohrin]

We keep running into problems where one TLS configuration or another breaks (see #244, #328, #330). We then usually have to tell people to try compiling with another compile feature.

The library reqwests, which is used for making the requests, can be configured at runtime: https://docs.rs/reqwest/0.12.8/reqwest/struct.ClientBuilder.html#method.tls_built_in_root_certs

It should be possible to use these methods, so that we can tell users to change configuration options instead of recompiling. We will still keep the features, so that smaller binaries can be created. However, I think our default feature-set should be to enable all options.

To get going, we only need support in the config file, not via CLI flags or environment variables. The option should be in the updates section. I am not settled on any particular name for the option, but something like "tls-backend" or so should work to get started. (It is possible that it will turn out nicer with two options). We will figure out the specifics once we have some code to talk about.

[dbrgn]

I'd wanted to suggest to simply use native roots by default. However, I searched for old PRs and realized that we switched to WebPKI roots due to issues on macOS: #272

I don't mind either option, the config file is probably a good idea. On the bikeshedding side, I think I'd prefer tls-roots instead of backend, but either one would be fine for me.

[niklasmohrin]

I think I'd prefer tls-roots instead of backend, but either one would be fine for me.

I was wondering what a good name would be, but as https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.use_native_tls reads "Force using the native TLS backend." I thought that "roots" does not quite capture the scope of all options. What do you think?

[dbrgn]

Ah, fair point.