Properly use rustls-platform-verifier with reqwest

Author: sandhose

Cargo.lock

@@ -501,7 +501,13 @@ version = "1.11.1"
 [workspace.dependencies.reqwest]
 version = "0.12.22"
 default-features = false
-features = ["http2", "rustls-tls-manual-roots", "charset", "json", "socks"]
+features = [
+    "http2",
+    "rustls-tls-manual-roots-no-provider",
+    "charset",
+    "json",
+    "socks",
+]
 
 # RSA cryptography
 [workspace.dependencies.rsa]
@@ -518,7 +524,7 @@ version = "0.15.4"
 
 # TLS stack
 [workspace.dependencies.rustls]
-version = "0.23.30"
+version = "0.23.31"
 
 # PEM parsing for rustls
 [workspace.dependencies.rustls-pemfile]

Cargo.toml

@@ -91,7 +91,13 @@ impl reqwest::dns::Resolve for TracingResolver {
 #[must_use]
 pub fn client() -> reqwest::Client {
     // TODO: can/should we limit in-flight requests?
-    let tls_config = rustls::ClientConfig::with_platform_verifier();
+
+    // The explicit typing here is because `use_preconfigured_tls` accepts
+    // `Any`, but wants a `ClientConfig` under the hood. This helps us detect
+    // breaking changes in the rustls-platform-verifier API.
+    let tls_config: rustls::ClientConfig =
+        rustls::ClientConfig::with_platform_verifier().expect("failed to create TLS config");
+
     reqwest::Client::builder()
         .dns_resolver(Arc::new(TracingResolver::new()))
         .use_preconfigured_tls(tls_config)

crates/http/src/reqwest.rs

@@ -64,7 +64,6 @@ skip = [
     { name = "indexmap", version = "1.9.3" },        # schemars depends on this old version
     { name = "hashbrown", version = "0.12.3" },      # schemars -> indexmap depends on this old version
     { name = "hashbrown", version = "0.14.5" },      # a few crates depend on this old version
-    { name = "socket2", version = "0.5.10" },        # a few crates depend on socket2 0.5
     # a few dependencies depend on the 1.x version of thiserror
     { name = "thiserror", version = "1.0.69" },
     { name = "thiserror-impl", version = "1.0.69" },