feature request: please provide a way to "opt-outing" openssl

[KisaragiEffective]

Hello maintainers,

First of all, thank you for maintaing this crate!

I've used this crate via reqwest in my applications.

I've been built them mostly with rustls-backend. However, it falls back for native-tls because ring (one of rustls dependency) does not build for M1 Mac yet.

According to docs.rs top, native-tls uses security-framework crate and does not depend on openssl crate.

However, GitHub Security Advisory said my application is vulnerable because there's a path to openssl:

my-app 0.1.0
└ reqwest 0.11.22
  └ native-tls 0.2.11
    └ openssl 0.10.55

I don't want to drop M1 mac support.

Proposed change

I'm not sure if this approach will work...

1. Add check_openssl to default features
2. Add __buildscript_enable_openssl to features: __buildscript_enable_openssl = ["openssl", "openssl-sys", "openssl-probe"]
3. make openssl-related to be optional = true
4. Check std::env::var("CARGO_FEATURE_CHECK_OPENSSL") existence and cfg(not(any(/* windows, mac, ios */))) in build.rs.
5. println!(r#"cargo:rustc-cfg=feature="__buildscript_enable_openssl""#); if all conditions are met.
6. Add something like compile_error!("This target requires OpenSSL, but it is not enabled!"); to lib.rs in case of it was actually necessary but is disabled by accidentally.

How to enable/disable

• enable: down-stream user doesn't have to do anything. It should continue to be work.
• disble: no-default-features = true on down-stream side. This disables check on build.rs, so openssl should not appear in the dependency tree.

[sfackler]

Run cargo update.

rustls does support ARM macOS FYI.

[KisaragiEffective]

Run cargo update

(sorry for ping @sfackler ) No, it isn't a point. Please reopen this. dependabot has done same thing to my repo in this case, but I don't want to handle "vulnelability" that is not actually vulnerable due to not linked on any case, so I want it to not include them on dependency tree.