sagebind
commented
1 year ago This is because rustls does not come with any trusted root certificates, nor any ability to automatically discover certificates trusted by the operating system. This differs from other TLS backends which typically have some way to auto-discover trusted certificates. You receive the error that you do because rustls doesn't initially trust any certificates, and thus all certificates presented by any server are rejected.
To use rustls with curl, you must specify at least one certificate to trust using cainfo or ssl_cainfo_blob. At least at this time, the curl crate does not to anything extra beyond what libcurl provides to auto-discover certificates.
On some Linux systems curl may choose a default CAINFO that works for your system, and may use that path to pass certificates to rustls, but it can vary between Linux distributions and probably should not be relied upon.
Trying a post request on windows with the rustls feature enabled leads to:
Error { description: "SSL peer certificate or SSH remote key was not OK", code: 60, extra: Some("invalid peer certificate signature") }I have set up a minimal reproduceable example on github, and added github actions to prove that it works on linux but not on windows. https://github.com/tyhdefu/curl-rs-test Windows Failing Ubuntu Succeeding Interestingly, it also does not seem to work when run on WSL, (although a full arch vm worked) and when cross compiled to a raspberry pi (armv6l) it also produces the same error. Let me know if you need any more information.