Fallback to webpki certs if no native certs found, in hyper client from aws_smithy_runtime. #1167
Description
Describe the feature
fallback to the webpki root certs if no native certs are found
Use Case
I like to use a project that uses this sdk in a FROM scratch docker image in which no ca-certificates is available. Falling back to webpki certs if that happens would allow this usecase.
Proposed Solution
Update hyper_rustls to at least v0.25 (from v0.24, current latest version would be v0.27.2) and check the result returned by with_native_certs() starting from that version, calling with_webpki_certs if that errors. Basically replace the following code like so:
# https://github.com/awslabs/aws-sdk-rust/blob/3a5bf4831a8d024ae0903fef0a055bfbd726b041/sdk/aws-smithy-runtime/src/client/http/hyper_014.rs#L53
rustls::ClientConfig::builder()
...
.with_native_roots()
...to
let config_without_certs = rustls::ClientConfig::builder()
...;
let config_with_certs = config_without_certs.clone()
.with_native_roots().unwrap_or_else(|e| { todo!("probably some trace logs here"); config_without_certs.with_webpki_roots()})
config_with_certs
...(there is probably a nicer way to write it but you should get the gist of it)
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
A note for the community
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue, please leave a comment