rustls · djc · Nov 15, 2023 · Nov 15, 2023
diff --git a/examples/client.rs b/examples/client.rs
@@ -60,7 +60,7 @@ async fn run_client() -> io::Result<()> {
         // Default TLS client config with native roots
         None => rustls::ClientConfig::builder()
             .with_safe_defaults()
-            .with_native_roots()
+            .with_native_roots()?
             .with_no_client_auth(),
     };
     // Prepare the HTTPS connector

diff --git a/src/config.rs b/src/config.rs
@@ -8,9 +8,14 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
 pub trait ConfigBuilderExt {
     /// This configures the platform's trusted certs, as implemented by
     /// rustls-native-certs
+    ///
+    /// This will return an error if no valid certs were found. In that case,
+    /// it's recommended to use `with_webpki_roots`.
     #[cfg(feature = "rustls-native-certs")]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
-    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>;
+    fn with_native_roots(
+        self,
+    ) -> std::io::Result<ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>>;
 
     /// This configures the webpki roots, which are Mozilla's set of
     /// trusted roots as packaged by webpki-roots.
@@ -23,7 +28,9 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
     #[cfg(feature = "rustls-native-certs")]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
     #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
-    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
+    fn with_native_roots(
+        self,
+    ) -> std::io::Result<ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>> {
         let mut roots = rustls::RootCertStore::empty();
         let mut valid_count = 0;
         let mut invalid_count = 0;
@@ -45,9 +52,15 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
             valid_count,
             invalid_count
         );
-        assert!(!roots.is_empty(), "no CA certificates found");
+        if roots.is_empty() {
+            crate::log::debug!("no valid native root CA certificates found");
+            Err(std::io::Error::new(
+                std::io::ErrorKind::NotFound,
+                format!("no valid native root CA certificates found ({invalid_count} invalid)"),
+            ))?
+        }
 
-        self.with_root_certificates(roots)
+        Ok(self.with_root_certificates(roots))
     }
 
     #[cfg(feature = "webpki-roots")]

diff --git a/src/connector/builder.rs b/src/connector/builder.rs
@@ -59,13 +59,13 @@ impl ConnectorBuilder<WantsTlsConfig> {
     /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
     #[cfg(feature = "rustls-native-certs")]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
-    pub fn with_native_roots(self) -> ConnectorBuilder<WantsSchemes> {
-        self.with_tls_config(
+    pub fn with_native_roots(self) -> std::io::Result<ConnectorBuilder<WantsSchemes>> {
+        Ok(self.with_tls_config(
             ClientConfig::builder()
                 .with_safe_defaults()
-                .with_native_roots()
+                .with_native_roots()?
                 .with_no_client_auth(),
-        )
+        ))
     }
 
     /// Shorthand for using rustls' [safe defaults][with_safe_defaults]

diff --git a/src/lib.rs b/src/lib.rs
@@ -14,6 +14,7 @@
 //! let url = ("https://hyper.rs").parse().unwrap();
 //! let https = hyper_rustls::HttpsConnectorBuilder::new()
 //!     .with_native_roots()
+//!     .expect("no native root CA certificates found")
 //!     .https_only()
 //!     .enable_http1()
 //!     .build();
@@ -59,6 +60,7 @@
 //! let key = rustls::PrivateKey(keys[0].clone());
 //! let https = hyper_rustls::HttpsConnectorBuilder::new()
 //!     .with_native_roots()
+//!     .expect("no native root CA certificates found")
 //!     .https_only()
 //!     .enable_http1()
 //!     .build();