feat: allow to customize TLS trust roots

[Frando]

Description

This adds customization to how certificates for non-iroh TLS connections are verified. It adds a new CaRootsConfig struct which provides these options:

• Embedded WebPki roots (like currently), with optional extra roots
• Operating system's roots, with optional extra roots
• Custom list of roots only
• No verification (gated behind test-utils feature, like now)

This struct can be built into a rustls::ClientConfig, which is then used for:

• Connecting to relays, both HTTPS probes, QAD, and actual WebSocket connections
• Connecting to pkarr servers
• In the DNS resolver, if DNS-over-HTTPS is configured

I think that's all places where we use TLS connections in iroh. Will have another look if we missed any.

Breaking Changes

Removed:

• iroh::endpoint::Builder::insecure_skip_cert_verify, use Builder::ca_roots_config(CaRootsConfig::insecure_skip_verify()) instead
• iroh_relay::client::ClientBuilder::insecure_skip_cert_verify, remove ClientBuilder::tls_client_config instead
• iroh::address_lookup::pkarr::PkarrResolverBuilder::build and iroh::address_lookup::pkarr::PkarrPublisherBuilder::build now take a tls_config: rustls::ClientConfig arg. If building via Endpoint::add_discovery or endpoint::Builder::discovery no change is needed since the TLS config is passed from the endpoint builder. If constructing manually for some reason, either pass Endpoint::tls_config or construct a TLS config yourself, e.g. via iroh::tls::CaRootsConfig::client_config.

Change checklist

• Self-review.
• Documentation updates following the style guide, if relevant.
• Tests if relevant.
• All breaking changes documented.
  • List all breaking changes in the above "Breaking Changes" section.

[github-actions]

Documentation for this PR has been generated and is available at: https://n0-computer.github.io/iroh/pr/3973/docs/iroh/

Last updated: 2026-02-27T10:47:49Z

[github-actions]

Netsim report & logs for this PR have been generated and is available at: LOGS
This report will remain available for 3 days.

Last updated for commit: f56c4cd

[Frando]

Interesting: I switched the default to use the operating system's defaults, and tests fail on windows and android. Will have a closer look soon. But maybe we should stay with embedded WebPKI as default then.

Edit: Windows fails the integration test with
2026-02-25T13:27:49.7969117Z 2026-02-25T13:27:38.015343Z WARN actor:reportgen-actor:run-probe{proto=Https delay=200ms relay=RelayConfig { url: RelayUrl("https://staging-euw1-1.relay.iroh.network./"), quic: Some(RelayQuicConfig { port: 7842 }) }}: iroh::net_report::reportgen: probe failed: Failed to run HTTPS probe: HTTP request failed: error sending request for url (https://staging-euw1-1.relay.iroh.network./ping): client error (Connect): invalid peer certificate: NotValidForName
i.e. it seems there's no host certs, or they are somehow not trusting our cert?

[Frando]

I switched the default back to the embedded roots.

[dignifiedquire]

should this be an option on the webtlsconfig?

[Frando]

No, this setting is about TLS config for iroh connections, not WebTls

[Frando]

We could add this to WebTlsConfig as well. Currently WebTls doesn't ever have resumption configured. Do we? Don't think there's any 0RTT though for our web uses

[matheus23]

I think this is out-of-scope for CaRootsConfig (now that we've renamed it that's maybe clearer).
Making keylog effect TLS connections other than the iroh ones is perhaps another issue/PR.

[dignifiedquire]

what about these other tls options?

[matheus23]

IMO they're out-of-scope for the current CaRootsConfig.

Maybe in the future we group CaRootsConfig and friends into a TlsConfig down the line, but IMO that's another PR.

(Also TLS tickets are probably only relevant to iroh connections)

[matheus23]

Happy to see this land. Not sure if this should be 0.97 or 0.98.

[matheus23]

Generally not sure we need to duplicate the docs on this struct now.

[matheus23]

Great PR, thank you!