Skip to content

feat(http-transport-reqwest): allow tls options#7798

Merged
Xuanwo merged 22 commits into
mainfrom
feat/reqwest-tls-options
Jul 6, 2026
Merged

feat(http-transport-reqwest): allow tls options#7798
Xuanwo merged 22 commits into
mainfrom
feat/reqwest-tls-options

Conversation

@erickguan

Copy link
Copy Markdown
Member

Which issue does this PR close?

Closes #7762.

Rationale for this change

Allow easier configurations of TLS backend to reqwest.

What changes are included in this PR?

  • TLS configurations
  • feature knobs

Are there any user-facing changes?

Yes, for http-transport-reqwest. The default configuration for http-transport-reqwest is to compile native-tls support.

Users who wants rustls must compile their own http-transport-reqwest.

AI Usage Statement

Claude Opus 4.6 helps implementation.

@dosubot dosubot Bot added size:XL This PR changes 500-999 lines, ignoring generated files. releases-note/feat The PR implements a new feature or has a title that begins with "feat" labels Jun 18, 2026
@erickguan

erickguan commented Jun 18, 2026

Copy link
Copy Markdown
Member Author

@Xuanwo Can you have a look on the default feature proposed in PR? Then I can resolve build issues in CI.

Comment thread core/Cargo.toml
Comment thread core/http-transports/reqwest/Cargo.toml Outdated
# Use Rustls without a built-in crypto provider.
rustls-no-provider = ["reqwest/rustls-no-provider"]
# Use Rustls with the aws-lc-rs crypto provider and bundled Mozilla root certificates.
webpki-roots = [

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be rustls-wekpki-roots?

Comment thread core/http-transports/reqwest/Cargo.toml Outdated
Comment thread core/http-transports/reqwest/README.md
Comment thread core/http-transports/reqwest/README.md Outdated
```rust
use std::time::Duration;

use opendal_http_transport_reqwest::ReqwestTlsBackend;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't expect we need to implement this. Is there a reason why we didn't just use things from reqwest?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is mainly a consideration of what features do we want to compile and ship. e.g.:

  1. we ship rustls, ring, all differents certs
  2. we ship one feature of rustls
  3. ...other combinations between these 2

Bindings will use this crate mostly so compilation size is also a concern.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realized that I'm writing a library instead of an app. I'll fix this soon.

@Xuanwo Xuanwo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this!

I love the direction, but I think we are taking on too many duties that do not belong to us. http-transport-reqwuest is just a simple wrapper. Users can just call reqwest's API to set it.

Comment thread core/Cargo.toml
Comment thread core/Cargo.toml
Comment thread core/src/lib.rs Outdated
Comment thread core/http-transports/reqwest/README.md Outdated
Comment thread core/http-transports/reqwest/src/lib.rs Outdated
Comment thread core/http-transports/reqwest/src/lib.rs Outdated
}

#[allow(unreachable_code, clippy::needless_return)]
fn default_tls_backend() -> &'static str {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's users duty to make sure they set those correctly.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have a default builder helper to choose a TLS backend explicitly. It's useful for debugging.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have a default builder helper to choose a TLS backend explicitly. It's useful for debugging.

I expect that users want to do this can always use reqwest's API.

I think about this in this way: if opendal supports 10 http clients in the future and every one of them has a default_tls_backend. It doesn't make sense to me.

I feel that it's best for use to not expose any new APIs from this crate. Users don't need to figure out opendal's API, they just need to play with reqwest as before.

Please note that opendal is highly possible that not the only crate in users system that depends on reqwest. Any new API, new wrapper from opendal will add more burden for users.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sense. Updated.

Comment thread core/http-transports/reqwest/src/lib.rs Outdated
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:XL This PR changes 500-999 lines, ignoring generated files. labels Jul 4, 2026
@erickguan erickguan requested a review from Xuanwo July 4, 2026 12:57

@erickguan erickguan left a comment

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. I want a default TLS builder because it's easier to debug when someone builds multiple features.

Comment thread core/http-transports/reqwest/README.md Outdated
Comment thread core/Cargo.toml
Comment thread core/Cargo.toml
Comment thread core/http-transports/reqwest/Cargo.toml Outdated
Comment thread core/http-transports/reqwest/README.md
Comment thread core/http-transports/reqwest/src/lib.rs Outdated
}

#[allow(unreachable_code, clippy::needless_return)]
fn default_tls_backend() -> &'static str {

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have a default builder helper to choose a TLS backend explicitly. It's useful for debugging.

Comment thread core/http-transports/reqwest/src/lib.rs Outdated
Comment thread core/http-transports/reqwest/src/lib.rs Outdated
Comment thread core/src/lib.rs Outdated

@Xuanwo Xuanwo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @erickguan for working on this!

@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jul 6, 2026
@Xuanwo Xuanwo merged commit b6cff68 into main Jul 6, 2026
188 of 189 checks passed
@Xuanwo Xuanwo deleted the feat/reqwest-tls-options branch July 6, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm This PR has been approved by a maintainer releases-note/feat The PR implements a new feature or has a title that begins with "feat" size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

new feature: allow TLS certification config

2 participants