Enable both native and webpki root certificates for rustls

[Copilot]

The rustls feature only used bundled Mozilla certificates (webpki-roots), causing TLS failures behind Cloudflare WARP and corporate VPNs that inject custom root certificates.

Changes

Cargo.toml: Updated rustls feature to enable both certificate sources in reqwest:

rustls = [
    "dep:rustls_sys",
    "reqwest?/rustls-tls-native-roots",    # System certificates (WARP, corporate CAs)
    "reqwest?/rustls-tls-webpki-roots",    # Bundled Mozilla certificates (fallback)
    "suppaftp?/rustls",
    "rust-s3?/sync-rustls-tls"
]

When both features are enabled, reqwest merges the certificate stores - system certs are used when present, bundled certs provide fallback for minimal environments.

Documentation: Updated lib.rs and README to reflect certificate handling behavior.

CHANGELOG.md: Added entry under [Unreleased].

Transitive Dependencies

Adds rustls-native-certs (~10KB, pure Rust, no OpenSSL compilation).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• spaces.bgpkit.org
  • Triggering command: /home/REDACTED/work/oneio/oneio/target/debug/deps/oneio-6acb0bfb7fd38451 /home/REDACTED/work/oneio/oneio/target/debug/deps/oneio-6acb0bfb7fd38451 /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.4bi11i425yxmykvdx3wi75j88.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.4wev8rmkxo40zdzc8sxrh708b.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.5kcjugaw756amicrjnu9rzkgw.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.6guoj8k7lx00l52icc1ijetnh.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.7dbuqhyvc4sui192r0pnalx6j.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.7gynp9ud3r6olvt5z3ikdlg1g.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.7yop2e9x1i9x3t7l8kju17x4c.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.94ctttq80eeeqetja66wcjnnj.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/ebc�� /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/ebcd52e9457b6221-v3_cpols.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/ebcd52e9457b6221-v3_crld.o 5.0/�� f/aws-lc-sys-0.3-I 5.0/aws-lc/third_party/s2n-bignum/s2n-bignum-imported/include f/aws-lc-sys-0.3-I f/aws-lc-sys-0.3ar f/aws-lc-sys-0.3cq f/aws-lc-sys-0.3/home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.0waiylnr430s09xj6y6tj90ev.0los7t4.rcgu.o f/aws-lc-sys-0.3/home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.121z90sqy6tiop6c4dg4ff75m.0los7t4.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/oneio/oneio/target/debug/deps/basic_integration-9f8b5e6b16e33696 /home/REDACTED/work/oneio/oneio/target/debug/deps/basic_integration-9f8b5e6b16e33696 /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.4bi11i425yxmykvdx3wi75j88.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.4wev8rmkxo40zdzc8sxrh708b.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.5kcjugaw756amicrjnu9rzkgw.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.6guoj8k7lx00l52icc1ijetnh.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.7dbuqhyvc4sui192r0pnalx6j.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.7gynp9ud3r6olvt5z3ikdlg1g.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.7yop2e9x1i9x3t7l8kju17x4c.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.94ctttq80eeeqetja66wcjnnj.0los7t4.rcgu.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/ebc�� /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/ebcd52e9457b6221-v3_cpols.o /home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/ebcd52e9457b6221-v3_crld.o 5.0/�� f/aws-lc-sys-0.3-I 5.0/aws-lc/third_party/s2n-bignum/s2n-bignum-imported/include f/aws-lc-sys-0.3-I f/aws-lc-sys-0.3ar f/aws-lc-sys-0.3cq f/aws-lc-sys-0.3/home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.0waiylnr430s09xj6y6tj90ev.0los7t4.rcgu.o f/aws-lc-sys-0.3/home/REDACTED/work/oneio/oneio/target/debug/build/aws-lc-sys-3ed36e0471c75026/out/home/REDACTED/work/oneio/oneio/target/debug/examples/progress_tracking-38c65a0faebc5301.121z90sqy6tiop6c4dg4ff75m.0los7t4.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Problem

When fetching data behind Cloudflare WARP VPN (or other corporate VPNs/proxies), users encounter certificate validation errors. This happens because the current rustls feature only uses webpki-roots (bundled Mozilla certificates), which doesn't include system-level certificates installed by WARP or corporate IT.

Solution

Enable both rustls-tls-native-roots and rustls-tls-webpki-roots features in reqwest when the rustls feature is enabled. This provides the best of both worlds:

1. Native system certs are loaded (including any certificates installed by WARP, corporate proxies, or IT admins)
2. Bundled Mozilla certs serve as a fallback for minimal environments (containers, musl builds without a CA store)

According to reqwest's source code, when both features are enabled, the certificates are merged into the same root certificate store - they are additive, not mutually exclusive.

Changes Required

Update Cargo.toml to change the rustls feature from:

rustls = [
    "dep:rustls_sys",
    "reqwest?/rustls-tls",
    "suppaftp?/rustls",
    "rust-s3?/sync-rustls-tls"
]

To:

rustls = [
    "dep:rustls_sys",
    "reqwest?/rustls-tls-native-roots",
    "reqwest?/rustls-tls-webpki-roots",
    "suppaftp?/rustls",
    "rust-s3?/sync-rustls-tls"
]

Benefits

Environment	Behavior
Behind Cloudflare WARP / corporate VPN	✅ Uses system certs including WARP's CA
Normal desktop/server	✅ Uses system certs
Docker container with CA store	✅ Uses container's system certs
Minimal container / musl without CA store	✅ Falls back to bundled Mozilla certs

Additional Dependencies

This adds rustls-native-certs as a transitive dependency, which:

• Does not require compiling OpenSSL (unlike native-tls)
• Has minimal dependencies
• Adds negligible compile time

No code changes are required - just the Cargo.toml dependency update.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.