From 3fbd583f297bb523bbf0fd6cd2a392f90994bedd Mon Sep 17 00:00:00 2001
From: Dominik Nakamura <dnaka91@gmail.com>
Date: Mon, 12 Jul 2021 22:37:52 +0900
Subject: [PATCH 1/4] Enable root cert providers through feature flags

---
 Cargo.toml    | 12 +++++++++---
 src/client.rs | 13 +++++++++++--
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index b531488..50c13db 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,7 +19,9 @@ all-features = true
 default = []
 native-tls = ["native-tls-crate"]
 native-tls-vendored = ["native-tls", "native-tls-crate/vendored"]
-rustls-tls = ["rustls", "webpki", "rustls-native-certs"]
+rustls-tls = ["rustls", "webpki"]
+rustls-tls-native-roots = ["rustls-tls", "rustls-native-certs"]
+rustls-tls-webpki-roots = ["rustls-tls", "webpki-roots"]
 
 [dependencies]
 base64 = "0.13.0"
@@ -43,13 +45,17 @@ version = "0.2.3"
 optional = true
 version = "0.19.0"
 
+[dependencies.rustls-native-certs]
+optional = true
+version = "0.5.0"
+
 [dependencies.webpki]
 optional = true
 version = "0.21"
 
-[dependencies.rustls-native-certs]
+[dependencies.webpki-roots]
 optional = true
-version = "0.5.0"
+version = "0.21"
 
 [dev-dependencies]
 criterion = "0.3.4"
diff --git a/src/client.rs b/src/client.rs
index d4d9492..1a473f0 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -71,12 +71,21 @@ mod encryption {
             Mode::Plain => Ok(StreamSwitcher::Plain(stream)),
             Mode::Tls => {
                 let config = {
+                    #[allow(unused_mut)]
                     let mut config = ClientConfig::new();
-                    config.root_store =
-                        rustls_native_certs::load_native_certs().map_err(|(_, err)| err)?;
+                    #[cfg(feature = "rustls-native-roots")]
+                    {
+                        config.root_store =
+                            rustls_native_certs::load_native_certs().map_err(|(_, err)| err)?;
+                    }
+                    #[cfg(feature = "rustls-webpki-roots")]
+                    {
+                        config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
+                    }
 
                     Arc::new(config)
                 };
+
                 let domain = DNSNameRef::try_from_ascii_str(domain).map_err(TlsError::Dns)?;
                 let client = ClientSession::new(&config, domain);
                 let stream = StreamOwned::new(client, stream);

From 3efb0544c692948be660ebc26d61177b7705963a Mon Sep 17 00:00:00 2001
From: Dominik Nakamura <dnaka91@gmail.com>
Date: Tue, 13 Jul 2021 17:46:48 +0900
Subject: [PATCH 2/4] Remove the rustls-tls feature flag

---
 Cargo.toml                |  5 ++---
 src/client.rs             | 11 +++++++++--
 src/error.rs              |  4 ++--
 src/stream.rs             |  4 ++--
 tests/connection_reset.rs | 11 +++++++++--
 5 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 50c13db..5590546 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,9 +19,8 @@ all-features = true
 default = []
 native-tls = ["native-tls-crate"]
 native-tls-vendored = ["native-tls", "native-tls-crate/vendored"]
-rustls-tls = ["rustls", "webpki"]
-rustls-tls-native-roots = ["rustls-tls", "rustls-native-certs"]
-rustls-tls-webpki-roots = ["rustls-tls", "webpki-roots"]
+rustls-tls-native-roots = ["rustls", "webpki", "rustls-native-certs"]
+rustls-tls-webpki-roots = ["rustls", "webpki", "webpki-roots"]
 
 [dependencies]
 base64 = "0.13.0"
diff --git a/src/client.rs b/src/client.rs
index 1a473f0..6b9c21c 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -50,7 +50,10 @@ mod encryption {
     }
 }
 
-#[cfg(all(feature = "rustls-tls", not(feature = "native-tls")))]
+#[cfg(all(
+    any(feature = "rustls-tls-native-roots", feature = "rustls-tls-webpki-roots"),
+    not(feature = "native-tls")
+))]
 mod encryption {
     use rustls::ClientConfig;
     pub use rustls::{ClientSession, StreamOwned};
@@ -96,7 +99,11 @@ mod encryption {
     }
 }
 
-#[cfg(not(any(feature = "native-tls", feature = "rustls-tls")))]
+#[cfg(not(any(
+    feature = "native-tls",
+    feature = "rustls-tls-native-roots",
+    feature = "rustls-tls-webpki-roots"
+)))]
 mod encryption {
     use std::net::TcpStream;
 
diff --git a/src/error.rs b/src/error.rs
index 6ab7420..d1d176b 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -253,11 +253,11 @@ pub enum TlsError {
     #[error("native-tls error: {0}")]
     Native(#[from] native_tls_crate::Error),
     /// Rustls error.
-    #[cfg(feature = "rustls-tls")]
+    #[cfg(any(feature = "rustls-tls-native-roots", feature = "rustls-tls-webpki-roots"))]
     #[error("rustls error: {0}")]
     Rustls(#[from] rustls::TLSError),
     /// DNS name resolution error.
-    #[cfg(feature = "rustls-tls")]
+    #[cfg(any(feature = "rustls-tls-native-roots", feature = "rustls-tls-webpki-roots"))]
     #[error("Invalid DNS name: {0}")]
     Dns(#[from] webpki::InvalidDNSNameError),
 }
diff --git a/src/stream.rs b/src/stream.rs
index 4d60405..5edfe03 100644
--- a/src/stream.rs
+++ b/src/stream.rs
@@ -10,7 +10,7 @@ use std::net::TcpStream;
 
 #[cfg(feature = "native-tls")]
 use native_tls_crate::TlsStream;
-#[cfg(feature = "rustls-tls")]
+#[cfg(any(feature = "rustls-tls-native-roots", feature = "rustls-tls-webpki-roots"))]
 use rustls::StreamOwned;
 
 /// Stream mode, either plain TCP or TLS.
@@ -41,7 +41,7 @@ impl<S: Read + Write + NoDelay> NoDelay for TlsStream<S> {
     }
 }
 
-#[cfg(feature = "rustls-tls")]
+#[cfg(any(feature = "rustls-tls-native-roots", feature = "rustls-tls-webpki-roots"))]
 impl<S: rustls::Session, T: Read + Write + NoDelay> NoDelay for StreamOwned<S, T> {
     fn set_nodelay(&mut self, nodelay: bool) -> IoResult<()> {
         self.sock.set_nodelay(nodelay)
diff --git a/tests/connection_reset.rs b/tests/connection_reset.rs
index 7f625be..c14f2ec 100644
--- a/tests/connection_reset.rs
+++ b/tests/connection_reset.rs
@@ -1,6 +1,10 @@
 //! Verifies that the server returns a `ConnectionClosed` error when the connection
 //! is closed from the server's point of view and drop the underlying tcp socket.
-#![cfg(any(feature = "native-tls", feature = "rustls-tls"))]
+#![cfg(any(
+    feature = "native-tls",
+    feature = "rustls-tls-native-roots",
+    feature = "rustls-tls-webpki-roots"
+))]
 
 use std::{
     net::{TcpListener, TcpStream},
@@ -15,7 +19,10 @@ use url::Url;
 
 #[cfg(feature = "native-tls")]
 type Sock = WebSocket<Stream<TcpStream, native_tls_crate::TlsStream<TcpStream>>>;
-#[cfg(all(feature = "rustls-tls", not(feature = "native-tls")))]
+#[cfg(all(
+    any(feature = "rustls-tls-native-roots", feature = "rustls-tls-webpki-roots"),
+    not(feature = "native-tls")
+))]
 type Sock = WebSocket<Stream<TcpStream, rustls::StreamOwned<rustls::ClientSession, TcpStream>>>;
 
 fn do_test<CT, ST>(port: u16, client_task: CT, server_task: ST)

From 02fb5db98f1aed93ef64b27fb4b874de208ba1f6 Mon Sep 17 00:00:00 2001
From: Dominik Nakamura <dnaka91@gmail.com>
Date: Tue, 13 Jul 2021 17:52:47 +0900
Subject: [PATCH 3/4] Mention changes in the changelog

---
 CHANGELOG.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 889fa2d..06b6b04 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+# 0.15.0 (unreleased)
+
+- Allow selecting the method of loading root certificates if `rustls` is used as TLS implementation.
+  - Two new feature flags `rustls-tls-native-roots` and `rustls-tls-webpki-roots` have been added
+    that activate the respective method to load certificates.
+  - The `rustls-tls` flag was removed to raise awareness of this change. Otherwise, compilation
+    would have continue to work and potential errors (due to different or missing certificates)
+    only occurred at runtime.
+  - The new feature flags are additive. If both are enabled, both methods will be used to add
+    certificates to the TLS configuration.
+
 # 0.14.0
 
 - Use `rustls-native-certs` instead of `webpki-root` when `rustls-tls` feature is enabled.

From 8b029baa8dd65e513b7ae4264ae472596c9e2f4c Mon Sep 17 00:00:00 2001
From: Dominik Nakamura <dnaka91@gmail.com>
Date: Wed, 14 Jul 2021 00:21:37 +0900
Subject: [PATCH 4/4] Fix wrong feature name when setting certs

---
 src/client.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/client.rs b/src/client.rs
index 6b9c21c..04ce540 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -76,12 +76,12 @@ mod encryption {
                 let config = {
                     #[allow(unused_mut)]
                     let mut config = ClientConfig::new();
-                    #[cfg(feature = "rustls-native-roots")]
+                    #[cfg(feature = "rustls-tls-native-roots")]
                     {
                         config.root_store =
                             rustls_native_certs::load_native_certs().map_err(|(_, err)| err)?;
                     }
-                    #[cfg(feature = "rustls-webpki-roots")]
+                    #[cfg(feature = "rustls-tls-webpki-roots")]
                     {
                         config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
                     }