Upgrading `reqwest` to `0.13.1` to improve TLS experience

[salmonsd]

Summary

It has been well documented that many end users have experienced issues with --native-tls not working as expected, especially when it comes to using uv with corporate CAs. And using allow-insecure-host is not a great option long-term for security reasons.

By upgrading reqwest to 0.13.1, we can take advantage of using rustls as the default backend and utilize rustls-platform-verifier instead of rustls-native-certs, which allows us to use more cert signatures supported through aws-lc instead of ring. We can still include and use native-tls to preserve existing functionality, but this would eliminate the SSL_CERT_DIR and SSL_CERT_FILE env var needs for many end users, provided certs are included in their OS certificate store.

The following updates would need to be made to update reqwest to 0.13.1 along with updating necessary and/or changed features:

• astral-sh/reqwest-middleware (merge updates from TrueLayer/reqwest-middleware)
  • astral-reqwest-middleware --> update to 0.5.0
  • astral-reqwest-tracing --> update to 0.6.0
  • astral-reqwest-retry --> update to 0.9.0
• astral-sh/ambient-id
• astral-sh/async_http_range_reader

Main updates for uv/Cargo.toml (ambient-id, and dev-dependencies excluded):

reqwest = { version = "0.13.1", default-features = false, features = ["json", "gzip", "deflate", "zstd", "stream", "system-proxy", "rustls", "socks", "multipart", "http2", "blocking", "query", "form", "native-tls"] }
reqwest-middleware = { version = "0.5.0", package = "astral-reqwest-middleware", features = ["multipart", "json", "query", "form"] }
reqwest-retry = { version = "0.9.0", package = "astral-reqwest-retry" }

I was able to build and patch locally and was able to successfully run uv to work with my Corporate Cert.

Related:

• https://github.com/rustls/rustls-native-certs/tree/main

Instead of this crate, we suggest using rustls-platform-verifier which provides a more robust solution with a simpler API. This crate is still maintained, but mostly for use inside the platform verifier on platforms where no other solution is available. For more context, see deployment considerations.

• Consider using the system SSL library, i.e., OpenSSL instead of rusttls / ring #11595
• Again problems with the --native-tls flag or SSL_CERT_FILE #9243
• invalid peer certificate: BadSignature when installing package from private index using ECDSA SHA-512 SSL cert #4534
• Operation timed out when trying to uv python install or uv add on work computer #16360
• Flag --native-tls still shows UnknownIssuer on windows. #17355
• uv pip install doesn't work with : ⁠UV_NATIVE_TLS and ⁠--native-tls - No detection system certificates, requiring ⁠--allow-insecure-host #16412
• UnsupportedSignatureAlgorithmForPublicKeyContext when connecting to wiki.dn42 rustls/rustls#2825
• https://github.com/seanmonstar/reqwest/pull/2915/changes

Example

These changes would only affect the uv-client crate with the subsequent changes.

• remove all calls for built_in_root_certs no longer available from reqwest
• uv/crates/uv-client/src/base_client.rs

    fn create_client(
        &self,
        user_agent: &str,
        timeout: Duration,
        _ssl_cert_file_exists: bool,
        _ssl_cert_dir_exists: bool,
        security: Security,
        redirect_policy: RedirectPolicy,
    ) -> Client {
        // Configure the builder.
        let client_builder = ClientBuilder::new()
            .http1_title_case_headers()
            .user_agent(user_agent)
            .pool_max_idle_per_host(20)
            .read_timeout(timeout)
            .redirect(redirect_policy.reqwest_policy());

        // If necessary, accept invalid certificates.
        let client_builder = match security {
            Security::Secure => client_builder,
            Security::Insecure => client_builder.danger_accept_invalid_certs(true),
        };

        // Note: SSL_CERT_FILE/SSL_CERT_DIR are NOT supported by rustls-platform-verifier.
        // Users needing custom certificates should either:
        //   1. Install certificates in OS certificate store (recommended)
        //   2. Use --native-tls flag on Linux (uses OpenSSL which supports SSL_CERT_*)
        let client_builder = if self.native_tls {
            client_builder.tls_backend_native()
        } else {
            client_builder.tls_backend_rustls()
        };

[zanieb]

Per your code comment, this would break support for SSL_CERT_FILE and SSL_CERT_DIR?

[zanieb]

This would also break the functionality added in #14816? cc @nilskch

[nilskch]

#14816 is not exposed to the uv cli. It's for library consumers only (or it at least was the case when I made the PR). We do not use built_in_root_certs anymore, so it would be fine for us making a breaking change here.

uv/crates/uv-client/src/base_client.rs

Lines 227 to 231 in 4ee320b

	#[must_use]
	pub fn built_in_root_certs(mut self, built_in_root_certs: bool) -> Self {
	self.built_in_root_certs = built_in_root_certs;
	self
	}

We now provide a custom_client (previously called with_custom_client, introduced in #15281):

uv/crates/uv-client/src/base_client.rs

Lines 191 to 195 in 4ee320b

	#[must_use]
	pub fn custom_client(mut self, client: Client) -> Self {
	self.custom_client = Some(client);
	self
	}

I am not sure if this is a breaking change since I am not very familiar with the latest reqwest client APIs.

cc @schmelczer

[salmonsd]

Per your code comment, this would break support for SSL_CERT_FILE and SSL_CERT_DIR?

Correct, with reqwest moving to rustls w/ rustls-platform-verifier, SSL_CERT_FILE and SSL_CERT_DIR are ignored. With the exception of Linux using native-tls, which can use the native-tls backend. In that case, it has full OpenSSL support and that can use SSL_CERT_FILE and SSL_CERT_DIR.

Happy to prove this out further, as needed, and PR it. Just let me know.

[zanieb]

Feel free to open a pull request, but we'll need to defer it to a breaking release. I'm also pretty worried about breaking SSL_CERT_FILE and SSL_CERT_DIR but I'm not sure we can do much about that long-term.

[salmonsd]

Understood, to be clear, this is a breaking change by default.

However, if we want to continue supporting SSL_CERT_FILE AND SSL_CERT_DIR, we could extend the ClientBuilder using tls_certs_merge (source).

And then extendbase_client.rs to merge the certs:

// Example Mockup, not proposed implementation
let mut client_builder = ClientBuilder::new().tls_backend_rustls();

let mut extra_certs = Vec::new();

// Load from SSL_CERT_FILE
if let Ok(cert_file) = env::var("SSL_CERT_FILE") {
    if let Ok(cert_pem) = std::fs::read(&cert_file) {
        if let Ok(cert) = Certificate::from_pem(&cert_pem) {
            extra_certs.push(cert);
        }
    }
}

// Load from SSL_CERT_DIR
if let Ok(cert_dir) = env::var("SSL_CERT_DIR") {
    // ... load all .crt/.pem files and add to extra_certs
}

// Merge these certs WITH the OS certificate store
if !extra_certs.is_empty() {
    client_builder = client_builder.tls_certs_merge(extra_certs);
}

[zanieb]

Oh, we should aspire to do that — we really don't like breaking things :)