Fallback to webpki certs if no native certs found, in hyper client from aws_smithy_runtime.

[JustusFluegel]

Describe the feature

fallback to the webpki root certs if no native certs are found

Use Case

I like to use a project that uses this sdk in a FROM scratch docker image in which no ca-certificates is available. Falling back to webpki certs if that happens would allow this usecase.

Proposed Solution

Update hyper_rustls to at least v0.25 (from v0.24, current latest version would be v0.27.2) and check the result returned by with_native_certs() starting from that version, calling with_webpki_certs if that errors. Basically replace the following code like so:

# https://github.com/awslabs/aws-sdk-rust/blob/3a5bf4831a8d024ae0903fef0a055bfbd726b041/sdk/aws-smithy-runtime/src/client/http/hyper_014.rs#L53
rustls::ClientConfig::builder()
                    ...
                    .with_native_roots()
                    ...

to

let config_without_certs = rustls::ClientConfig::builder()
                    ...;

let config_with_certs = config_without_certs.clone()
                    .with_native_roots().unwrap_or_else(|e| { todo!("probably some trace logs here"); config_without_certs.with_webpki_roots()})

config_with_certs
                    ...

(there is probably a nicer way to write it but you should get the gist of it)

Other Information

No response

Acknowledgements

• [X] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

A note for the community

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue, please leave a comment

[ysaito1001]

Hi, thank you for submitting a feature request! A clarifying question. Without the suggested feature, can you work around by using the code snippet mentioned in this guide (search for with_webpki_roots) (i.e. writing your own HTTP connector enabling with_webpki_roots)?

[JustusFluegel]

I will test that, thanks 👍( and get back to you afterwards ) Although I think even if that works a fallback to the webpki certs would probably still make sense :)