rustls-tls-native-roots does not imply rustls-tls-native-roots for tungstenite #313
Description
I have encountered something that is is not a bug per se, but rather a hard-to-debug gotcha.
It is a combination of two facts:
tokio-tungstenitere-exports the entiretungsteniteAPI surfacerustls-tls-native-rootsfeature intokio-tungstenitedoes not enable therustls-tls-native-rootsfeature intungstenite- still, it enables some support through the internal
__rustls-tlsfeature
In our project we provide both the async and sync versions of the API by using either tungstenite or tokio-tungstenite in the implementation. Some time ago we decided not to depend on tungstenite directly, but use the re-exported version of tokio-tungstenite.
However, even though rustls-tls-native-roots on tokio-tungstenite is enabled, an attempt to made a sync connection with tungstenite to a server fails.
And the hard-to-debug part of this is the error message: Io(Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }). It suggests that there's some kind of problem with the TLS certificate.
However, in actuality, it is due to the fact that the re-exported tungstenite has TLS support enabled, but doesn't have any way to verify the certificate, so it just fails with this message. It doesn't point to the root issue (lack of the TLS verification features on the `tungstenite). I think this is not a good UX.
It might have been better if rustls-tls-native-roots feature on tokio-tungstenite (and, I think, the same problem affects rustls-tls-webpki-roots) also enabled rustls-tls-native-roots feature of tungstenite. If this is infeasible, tungstenite might detect such a condition and provide an error message pointing out the lack of configured cert verification methods.