Closed
Conversation
Contributor
Author
|
Will work on failing tests (apologies) |
salmonsd
commented
Jan 20, 2026
Contributor
|
We can now also update |
Contributor
Author
thanks @musicinmybrain, was waiting for the official release! Only thing to watch for is axoupdater and the update to |
9bdfe48 to
ec325cf
Compare
Contributor
Author
|
Hey @zanieb, wanted to check-in and see if y'all have a plan for this or if there's anything I can do to help to get this implemented? |
zanieb
reviewed
Feb 4, 2026
zanieb
reviewed
Feb 4, 2026
zanieb
reviewed
Feb 4, 2026
zanieb
reviewed
Feb 4, 2026
Closed
Member
|
All dependency updates are merged and published. |
1 task
311d8ac to
9694a89
Compare
Contributor
Author
|
rebased onto uv will work to implement these suggestions: #17543 (comment) |
konstin
reviewed
Feb 11, 2026
9694a89 to
2b18f63
Compare
salmonsd
commented
Feb 18, 2026
salmonsd
commented
Feb 18, 2026
salmonsd
commented
Feb 18, 2026
Comment on lines
+1138
to
+1142
| // Specify identity encoding to prevent double compression from async_http_range_reader and reqwest | ||
| headers.insert( | ||
| reqwest::header::ACCEPT_ENCODING, | ||
| reqwest::header::HeaderValue::from_static("identity"), | ||
| ); |
Contributor
Author
There was a problem hiding this comment.
More info here: astral-sh/async_http_range_reader#3 (comment)
salmonsd
commented
Feb 18, 2026
salmonsd
commented
Feb 18, 2026
salmonsd
commented
Feb 18, 2026
| use tracing::debug; | ||
|
|
||
| use uv_client::{BaseClientBuilder, WrappedReqwestError}; | ||
| use uv_client::BaseClientBuilder; |
Contributor
Author
There was a problem hiding this comment.
This removal is related to axoupdater (and depedent axoasset) on an older version of reqwest.
Related:
salmonsd
commented
Feb 18, 2026
Member
|
CI is currently failing because we introduced an openssl dependency. |
27d53ce to
1aae7bf
Compare
salmonsd
commented
Mar 17, 2026
9ab78c4 to
6aecc7d
Compare
zanieb
added a commit
that referenced
this pull request
Mar 17, 2026
Needed for WinGet in #17543 The `windows-latest` label already changed https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/ I don't think this should affect users.
Merging this PR will not alter performance
Performance Changes
Comparing 
|
zanieb
added a commit
that referenced
this pull request
Mar 23, 2026
The following user-facing changes are included here: - `aws-lc` is used instead of `ring` for a cryptography backend - Expands our certificate signature algorithm support to include ECDSA_P256_SHA512, ECDSA_P384_SHA512, ECDSA_P521_SHA256, ECDSA_P521_SHA384, and ECDSA_P521_SHA512 - `--native-tls` is deprecated in favor of a new `--system-certs` flag, avoiding confusion with the TLS implementation used (we use `rustls` not `native-tls`, see prior confusion at #11595) - NASM is a new build requirement on Windows, it is required by `aws-lc` on x86-64 and i386 - `rustls-platform-verifier` is used instead of `rustls-native-certs` for system certificate verification - On macOS, certificate validation is now delegated to `Security.framework` (`SecTrust`). Performance when using `--system-certs` is improved by avoiding exporting and parsing all the certificates from the keychain at startup. - On Windows, certificate validation is now delegated to `CertGetCertificateChain` and `CertVerifyCertificateChainPolicy` - On Linux, certificate validation should be approximately unchanged - Some previously failing chains may succeed, and some previously accepted chains may fail; generally, this should result in behavior closer matching browsers and other native applications - macOS and Windows may now perform live OCSP fetches for early revocation, which could add latency to some requests - Empty `SSL_CERT_FILE` values are ignored (for consistency with `SSL_CERT_DIR`) The following internal changes are included here: - Certificate loading has been refactored to use a newtype with helper methods - The certificate tests have been rewritten - We use `webpki-root-certs` instead of `webpki-roots`, see #17543 (comment) - We request `identity` encoding for range requests, see astral-sh/async_http_range_reader#3 (comment) - Various dependencies (including forks) updates to versions which use reqwest 0.13+ This is a replacement of #17543 with an updated description. See that pull request for prior discussion. I've made the following changes from the initial approach there: - Previously, the `native-tls` TLS implementation was added which included an OpenSSL build. We don't currently use the `native-tls` implementation, but the `--native-tls` flag there was erroneously updated to enable it. - Previously, there was a `--tls-backend` flag to toggle between `native-tls` and `rustls`. Since we currently always use `rustls`, this is deferred to future work (if we need it at all). - Previously, there were unintentional breaking changes to `SSL_CERT_FILE` and `SSL_CERT_DIR` handling, including merging with the base certificates instead of replacing them, dropping support for OpenSSL hash-named certificate files, skipping deduplication of certificates. Here, we retain use of `rustls-native-certs` for loading certificates from the system as it handles these edge cases. Closes #17427 --------- Co-authored-by: salmonsd <22984014+salmonsd@users.noreply.github.com>
Contributor
Author
|
Closing in favor of #18550 |
Member
|
Thank you for your work on this! |
konstin
pushed a commit
that referenced
this pull request
Mar 24, 2026
The following user-facing changes are included here: - `aws-lc` is used instead of `ring` for a cryptography backend - Expands our certificate signature algorithm support to include ECDSA_P256_SHA512, ECDSA_P384_SHA512, ECDSA_P521_SHA256, ECDSA_P521_SHA384, and ECDSA_P521_SHA512 - `--native-tls` is deprecated in favor of a new `--system-certs` flag, avoiding confusion with the TLS implementation used (we use `rustls` not `native-tls`, see prior confusion at #11595) - NASM is a new build requirement on Windows, it is required by `aws-lc` on x86-64 and i386 - `rustls-platform-verifier` is used instead of `rustls-native-certs` for system certificate verification - On macOS, certificate validation is now delegated to `Security.framework` (`SecTrust`). Performance when using `--system-certs` is improved by avoiding exporting and parsing all the certificates from the keychain at startup. - On Windows, certificate validation is now delegated to `CertGetCertificateChain` and `CertVerifyCertificateChainPolicy` - On Linux, certificate validation should be approximately unchanged - Some previously failing chains may succeed, and some previously accepted chains may fail; generally, this should result in behavior closer matching browsers and other native applications - macOS and Windows may now perform live OCSP fetches for early revocation, which could add latency to some requests - Empty `SSL_CERT_FILE` values are ignored (for consistency with `SSL_CERT_DIR`) The following internal changes are included here: - Certificate loading has been refactored to use a newtype with helper methods - The certificate tests have been rewritten - We use `webpki-root-certs` instead of `webpki-roots`, see #17543 (comment) - We request `identity` encoding for range requests, see astral-sh/async_http_range_reader#3 (comment) - Various dependencies (including forks) updates to versions which use reqwest 0.13+ This is a replacement of #17543 with an updated description. See that pull request for prior discussion. I've made the following changes from the initial approach there: - Previously, the `native-tls` TLS implementation was added which included an OpenSSL build. We don't currently use the `native-tls` implementation, but the `--native-tls` flag there was erroneously updated to enable it. - Previously, there was a `--tls-backend` flag to toggle between `native-tls` and `rustls`. Since we currently always use `rustls`, this is deferred to future work (if we need it at all). - Previously, there were unintentional breaking changes to `SSL_CERT_FILE` and `SSL_CERT_DIR` handling, including merging with the base certificates instead of replacing them, dropping support for OpenSSL hash-named certificate files, skipping deduplication of certificates. Here, we retain use of `rustls-native-certs` for loading certificates from the system as it handles these edge cases. Closes #17427 --------- Co-authored-by: salmonsd <22984014+salmonsd@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR improves the TLS experience by upgrading reqwest to
0.13.1via #17427It adds support for three TLS backends via a new hidden
--tls-backendflag:rustls-webpki— bundled Mozilla roots fromwebpki-root-certs(default)rustls— platform/system verifier viarustls-platform-verifiernative-tls— native system TLS stackCustom certificates from
SSL_CERT_FILE/SSL_CERT_DIRare merged unconditionally into the root store across all backends usingreqwest::tls_merge_certs(), ensuring consistent support in corporate or CI setups without backend-specific gating.The
--native-tlsflag andUV_NATIVE_TLSenv var are retained for compatibility, mapping to thenative-tlsbackend.Motivation
reqwest0.13.1 defaults torustlsas its TLS backend w/ platform verification and removes built-inwebpki-roots, and moves its default crypto provider to aws-lc instead of ring (increasing the number of cert signature algos supported) to improve TLS experience.Changes
Dependency updates
reqwest→0.13.1(pinned)reqsign→0.19.0webpki-root-certs0.13.1reqwest-middleware#110.13.1ambient-id#210.13.1async_http_range_reader#3TLS backend selection
--tls-backendflag:rustls-webpki|rustls|native-tls--native-tlspreserved (with explicit conflict handling)UV_NATIVE_TLSenv var maps tonative-tlsbackendrustls-webpkiCertificate handling
webpki-root-certsreqwest::tls_certs_onlyto initialize the root store with bundled certsSSL_CERT_FILE/SSL_CERT_DIRusingtls_merge_certsreqwest's certificate merging machinery → avoids custom root store or TLS config managementRefactoring & cleanup
uv-client/base_client.rsanduv-client/ssl_certs.rsaccept-encoding: identityinregistry_client.rswhere requiredDocumentation
certificates.md:rustls-webpkifor consistency,native-tlsfor proxies)SSL_CERT_*behavior and migration notesTesting
uv-client/tests/ssl_certs.rs(loading, precedence, all backends)nextest.tomlwith SSL test profile overrideTrade-offs & Future Work
webpki-root-certs+tls_certs_only+tls_merge_certskeeps maintenance low and avoids re-implementing root store logicreqwestinternals--native-tlsretained for smooth transition; long-term plan is deprecation--tls-backendto visible/stable--system-certs/--no-system-certsaliases (preview)rustls(platform verifier) in a future breaking release--native-tlsandUV_NATIVE_TLS