This is problematic in projects that want to use Rustls with (only) the native roots and have cloudflare as dependency because the rustls-tls feature actually resolves to rustls-tls-webpki-roots.
Even more so, if a project uses cloudflare as dependency with the rustls-tls feature (which, as mentioned, resolves to rustls-tls-webpki-roots) and itself uses reqwest with the rustls-tls-native-roots feature, reqwest will actually use the root certificates from both sources with Rustls because of how Cargo's feature unification works where the union of all enabled features is used on that dependency when building it.
cloudflare
'sreqwest
dependency offers various optional features to control which root certificates are used by reqwest. While some features such asdefault-tls
andrustls-tls
have corresponding features in cloudflare's Cargo.toml, the more fine-grainedrustls-tls-native-roots
(andrustls-tls-webpki-roots
) are currently not supported.This is problematic in projects that want to use Rustls with (only) the native roots and have
cloudflare
as dependency because therustls-tls
feature actually resolves torustls-tls-webpki-roots
.Even more so, if a project uses
cloudflare
as dependency with therustls-tls
feature (which, as mentioned, resolves torustls-tls-webpki-roots
) and itself usesreqwest
with therustls-tls-native-roots
feature, reqwest will actually use the root certificates from both sources with Rustls because of how Cargo's feature unification works where the union of all enabled features is used on that dependency when building it.