Use rustls-platform-verifier for cert validation

This simplifies by removing the mutually exclusive `native-roots` and
`webpki-roots` features with something that is suitable for all
platforms.

Cargo.toml

@@ -78,6 +78,12 @@ features = ["derive"]
 [workspace.dependencies.http]
 version = "0.2.11"
 
+# Hyper Rustls support
+[workspace.dependencies.hyper-rustls]
+version = "0.25.0"
+features = ["http1", "http2"]
+default-features = false
+
 # Templates
 [workspace.dependencies.minijinja]
 version = "1.0.12"
@@ -86,6 +92,14 @@ version = "1.0.12"
 [workspace.dependencies.rand]
 version = "0.8.5"
 
+# TLS stack
+[workspace.dependencies.rustls]
+version = "0.22.2"
+
+# Use platform-specific verifier for TLS
+[workspace.dependencies.rustls-platform-verifier]
+version = "0.2.0"
+
 # JSON Schema generation
 [workspace.dependencies.schemars]
 version = "0.8.16"
@@ -105,6 +119,11 @@ features = ["preserve_order"]
 [workspace.dependencies.thiserror]
 version = "1.0.57"
 
+# Tower services
+[workspace.dependencies.tower]
+version = "0.4.13"
+features = ["util"]
+
 # Logging and tracing
 [workspace.dependencies.tracing]
 version = "0.1.40"

crates/axum-utils/Cargo.toml

@@ -31,7 +31,7 @@ serde_urlencoded = "0.7.1"
 serde_json.workspace = true
 thiserror.workspace = true
 tokio = "1.35.1"
-tower = { version = "0.4.13", features = ["util"] }
+tower.workspace = true
 tracing.workspace = true
 url.workspace = true
 ulid.workspace = true
@@ -44,7 +44,3 @@ mas-jose.workspace = true
 mas-keystore.workspace = true
 mas-storage.workspace = true
 mas-templates.workspace = true
-
-[features]
-native-roots = ["mas-http/native-roots"]
-webpki-roots = ["mas-http/webpki-roots"]

crates/axum-utils/src/http_client_factory.rs

@@ -14,8 +14,8 @@
 
 use axum::body::Full;
 use mas_http::{
-    make_traced_connector, BodyToBytesResponseLayer, Client, ClientInitError, ClientLayer,
-    ClientService, HttpService, TracedClient, TracedConnector,
+    make_traced_connector, BodyToBytesResponseLayer, Client, ClientLayer, ClientService,
+    HttpService, TracedClient, TracedConnector,
 };
 use tower::{
     util::{MapErrLayer, MapRequestLayer},
@@ -28,18 +28,20 @@ pub struct HttpClientFactory {
     client_layer: ClientLayer,
 }
 
+impl Default for HttpClientFactory {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
 impl HttpClientFactory {
     /// Constructs a new HTTP client factory
-    ///
-    /// # Errors
-    ///
-    /// Returns an error if the client factory failed to initialise, which can
-    /// happen when it fails to load the system's CA certificates.
-    pub async fn new() -> Result<Self, ClientInitError> {
-        Ok(Self {
-            traced_connector: make_traced_connector().await?,
+    #[must_use]
+    pub fn new() -> Self {
+        Self {
+            traced_connector: make_traced_connector(),
             client_layer: ClientLayer::new(),
-        })
+        }
     }
 
     /// Constructs a new HTTP client

crates/cli/Cargo.toml

@@ -24,12 +24,12 @@ itertools = "0.12.1"
 listenfd = "1.0.1"
 rand.workspace = true
 rand_chacha = "0.3.1"
-rustls = "0.22.2"
+rustls.workspace = true
 serde_json.workspace = true
 serde_yaml = "0.9.30"
 sqlx = { version = "0.7.3", features = ["runtime-tokio-rustls", "postgres"] }
 tokio = { version = "1.35.1", features = ["full"] }
-tower = "0.4.13"
+tower.workspace = true
 tower-http = { version = "0.4.4", features = ["fs"] }
 url.workspace = true
 zeroize = "1.7.0"
@@ -57,7 +57,7 @@ mas-data-model.workspace = true
 mas-email.workspace = true
 mas-graphql.workspace = true
 mas-handlers = { workspace = true }
-mas-http = { workspace = true, features = ["axum", "client"] }
+mas-http = { workspace = true, features = ["client"] }
 mas-i18n.workspace = true
 mas-iana.workspace = true
 mas-keystore.workspace = true
@@ -75,18 +75,13 @@ mas-tower.workspace = true
 oauth2-types.workspace = true
 
 [features]
-default = ["webpki-roots", "policy-cache"]
+default = ["policy-cache"]
 
 # Features used for the prebuilt binaries
-dist = ["policy-cache", "native-roots", "mas-config/dist"]
+dist = ["policy-cache", "mas-config/dist"]
 
 # Features used in the Docker image
-docker = ["native-roots", "mas-config/docker"]
+docker = ["mas-config/docker"]
 
 # Enable wasmtime compilation cache
 policy-cache = ["mas-policy/cache"]
-
-# Use the native root certificates
-native-roots = ["mas-http/native-roots", "mas-handlers/native-roots"]
-# Use the webpki root certificates
-webpki-roots = ["mas-http/webpki-roots", "mas-handlers/webpki-roots"]

crates/cli/src/commands/debug.rs

@@ -67,7 +67,7 @@ impl Options {
     #[tracing::instrument(skip_all)]
     pub async fn run(self, root: &super::Options) -> anyhow::Result<()> {
         use Subcommand as SC;
-        let http_client_factory = HttpClientFactory::new().await?;
+        let http_client_factory = HttpClientFactory::new();
         match self.subcommand {
             SC::Http {
                 show_headers,

crates/cli/src/commands/doctor.rs

@@ -41,7 +41,7 @@ impl Options {
         let config: RootConfig = root.load_config()?;
 
         // We'll need an HTTP client
-        let http_client_factory = HttpClientFactory::new().await?;
+        let http_client_factory = HttpClientFactory::new();
         let base_url = config.http.public_base.as_str();
         let issuer = config.http.issuer.as_ref().map(url::Url::as_str);
         let issuer = issuer.unwrap_or(base_url);

crates/cli/src/commands/server.rs

@@ -146,7 +146,7 @@ impl Options {
         )
         .await?;
 
-        let http_client_factory = HttpClientFactory::new().await?;
+        let http_client_factory = HttpClientFactory::new();
 
         let homeserver_connection = SynapseConnection::new(
             config.matrix.homeserver.clone(),

crates/cli/src/commands/worker.rs

@@ -55,7 +55,7 @@ impl Options {
         let mailer = mailer_from_config(&config.email, &templates)?;
         mailer.test_connection().await?;
 
-        let http_client_factory = HttpClientFactory::new().await?;
+        let http_client_factory = HttpClientFactory::new();
         let conn = SynapseConnection::new(
             config.matrix.homeserver.clone(),
             config.matrix.endpoint.clone(),

crates/cli/src/main.rs

@@ -77,7 +77,7 @@ async fn try_main() -> anyhow::Result<()> {
         telemetry_config.sentry.dsn.as_deref(),
         sentry::ClientOptions {
             transport: Some(Arc::new(HyperTransportFactory::new(
-                mas_http::make_untraced_client().await?,
+                mas_http::make_untraced_client(),
             ))),
             traces_sample_rate: 1.0,
             auto_session_tracking: true,
@@ -99,9 +99,7 @@ async fn try_main() -> anyhow::Result<()> {
     });
 
     // Setup OpenTelemetry tracing and metrics
-    let tracer = telemetry::setup(&telemetry_config)
-        .await
-        .context("failed to setup OpenTelemetry")?;
+    let tracer = telemetry::setup(&telemetry_config).context("failed to setup OpenTelemetry")?;
 
     let telemetry_layer = tracer.map(|tracer| {
         tracing_opentelemetry::layer()