fix: force reqwest to always use rustls backend

[Frando]

Description

This changes all uses of reqwest in iroh to use ClientBuilder::use_rustls_tls() to force using the rustls TLS backend, even if the default-tls feature got enabled through feature unification (we don't enable it in iroh directly).

Reasoning:

We have reports of HTTPS net report probes failing. They do fail under the following circumstances:

• We append a final dot to relay URL domains, to force absolute DNS resolution without appending a search domain
• reqwest uses the native-tls backend (which is platform dependent, and is openssl on linux) whenever the default-tls feature is enabled. it is on by default. if both rustls-tls and default-tls features are enabled, the native-tls backend wins.
• in iroh, we use reqwest with default-features = false, features = ["rustls-tls"], so without other deps changing features, the rustls backend is used
• the rustls backend apparently cleans up the domain name, removing a final dot if present, before comparing it to the certificate's hostname
• openssl apparently does not do that, so if the passed-in hostname has a final dot, but the certificate has not, an SSL verification error is thrown
• now, if any other crate in a binary's deps enables the default-tls feature for reqwest, due to feature unification iroh now by default also uses the native tls backend and not rustls anymore

Breaking Changes

Notes & open questions

Change checklist

• Self-review.
• Documentation updates following the style guide, if relevant.

[github-actions]

Documentation for this PR has been generated and is available at: https://n0-computer.github.io/iroh/pr/3486/docs/iroh/

Last updated: 2025-09-30T10:48:17Z

[github-actions]

Netsim report & logs for this PR have been generated and is available at: LOGS
This report will remain available for 3 days.

Last updated for commit: 8a3d89c

[dignifiedquire]

looks like this is not available in wasm

[Frando]

Pushed a commit that cfg's it out for wasm