fix: pin rustls-native-certs to <0.8.3

duncanista · duncanista · commit eab0da174293 · 2026-03-30T15:30:49.000-04:00
Version 0.8.3+ pulls in openssl-probe@0.2 which probes multiple
certificate directories and parses individual cert files instead of
loading a single bundle, adding unnecessary I/O overhead in
latency-sensitive environments.
diff --git a/libdd-common/Cargo.toml b/libdd-common/Cargo.toml
@@ -41,7 +41,10 @@ regex = "1.5"
 # Use rustls-no-provider instead of rustls to avoid reqwest forcing aws-lc-rs as the crypto
 # backend. We install the ring provider explicitly in connector/mod.rs instead.
 reqwest = { version = "0.13.2", features = ["rustls-no-provider", "hickory-dns"], default-features = false, optional = true }
-rustls-native-certs = { version = "0.8.1", optional = true }
+# Pinned to <0.8.3: version 0.8.3+ pulls in openssl-probe@0.2 which probes multiple
+# certificate directories and parses individual cert files instead of loading a single
+# bundle, adding unnecessary I/O overhead in latency-sensitive environments.
+rustls-native-certs = { version = ">=0.8.1, <0.8.3", optional = true }
 thiserror = "1.0"
 tokio = { version = "1.23", features = ["rt", "macros", "net", "io-util", "fs"] }
 tokio-rustls = { version = "0.26", default-features = false, optional = true }
diff --git a/libdd-http-client/Cargo.toml b/libdd-http-client/Cargo.toml
@@ -36,5 +36,6 @@ http-body-util = { version = "0.1", optional = true }
 
 [dev-dependencies]
 httpmock = "0.8.0-alpha.1"
+rustls = { version = "0.23", default-features = false, features = ["ring"] }
 tokio = { version = "1.23", features = ["rt", "macros", "io-util", "net"] }
 tempfile = "3"
diff --git a/libdd-http-client/src/client.rs b/libdd-http-client/src/client.rs
@@ -104,8 +104,13 @@ impl HttpClient {
 mod tests {
     use super::*;
 
+    fn ensure_crypto_provider() {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+    }
+
     #[test]
     fn new_creates_client() {
+        ensure_crypto_provider();
         let client = HttpClient::new("http://localhost:8126".to_owned(), Duration::from_secs(3));
         assert!(client.is_ok());
         let client = client.unwrap();
@@ -115,6 +120,7 @@ mod tests {
 
     #[test]
     fn builder_creates_client() {
+        ensure_crypto_provider();
         let client = HttpClient::builder()
             .base_url("http://localhost:8126".to_owned())
             .timeout(Duration::from_secs(5))
@@ -127,6 +133,7 @@ mod tests {
     #[cfg_attr(miri, ignore)]
     #[tokio::test]
     async fn send_returns_error_when_no_server() {
+        ensure_crypto_provider();
         let client =
             HttpClient::new("http://localhost".to_owned(), Duration::from_secs(1)).unwrap();
         let req = crate::HttpRequest::new(
diff --git a/libdd-http-client/src/config.rs b/libdd-http-client/src/config.rs
@@ -161,6 +161,10 @@ impl HttpClientBuilder {
 mod tests {
     use super::*;
 
+    fn ensure_crypto_provider() {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+    }
+
     #[test]
     fn config_getters() {
         let config =
@@ -196,6 +200,7 @@ mod tests {
 
     #[test]
     fn builder_success() {
+        ensure_crypto_provider();
         let client = HttpClientBuilder::new()
             .base_url("http://localhost:8126".to_owned())
             .timeout(Duration::from_secs(3))
@@ -205,6 +210,7 @@ mod tests {
 
     #[test]
     fn builder_treat_http_errors_defaults_true() {
+        ensure_crypto_provider();
         let client = HttpClientBuilder::new()
             .base_url("http://localhost".to_owned())
             .timeout(Duration::from_secs(1))
@@ -215,6 +221,7 @@ mod tests {
 
     #[test]
     fn builder_treat_http_errors_set_false() {
+        ensure_crypto_provider();
         let client = HttpClientBuilder::new()
             .base_url("http://localhost".to_owned())
             .timeout(Duration::from_secs(1))
diff --git a/libdd-http-client/tests/connection_pool.rs b/libdd-http-client/tests/connection_pool.rs
@@ -5,9 +5,14 @@ use httpmock::prelude::*;
 use libdd_http_client::{HttpClient, HttpMethod, HttpRequest};
 use std::time::Duration;
 
+fn ensure_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_multiple_requests_reuse_client() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -38,6 +43,7 @@ async fn test_multiple_requests_reuse_client() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_concurrent_requests_succeed() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
diff --git a/libdd-http-client/tests/http_round_trip.rs b/libdd-http-client/tests/http_round_trip.rs
@@ -5,9 +5,14 @@ use httpmock::prelude::*;
 use libdd_http_client::{HttpClient, HttpClientError, HttpMethod, HttpRequest};
 use std::time::Duration;
 
+fn ensure_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_post_round_trip() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -34,6 +39,7 @@ async fn test_post_round_trip() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_get_round_trip() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -59,6 +65,7 @@ async fn test_get_round_trip() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_response_headers_returned() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -89,6 +96,7 @@ async fn test_response_headers_returned() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_4xx_returns_request_failed() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     server
@@ -115,6 +123,7 @@ async fn test_4xx_returns_request_failed() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_4xx_returns_ok_when_errors_disabled() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     server
@@ -141,6 +150,7 @@ async fn test_4xx_returns_ok_when_errors_disabled() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_5xx_returns_request_failed() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     server
diff --git a/libdd-http-client/tests/multipart_test.rs b/libdd-http-client/tests/multipart_test.rs
@@ -5,9 +5,14 @@ use httpmock::prelude::*;
 use libdd_http_client::{HttpClient, HttpMethod, HttpRequest, MultipartPart};
 use std::time::Duration;
 
+fn ensure_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_multipart_upload() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -39,6 +44,7 @@ async fn test_multipart_upload() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_multipart_sets_content_type() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
diff --git a/libdd-http-client/tests/retry_test.rs b/libdd-http-client/tests/retry_test.rs
@@ -5,9 +5,14 @@ use httpmock::prelude::*;
 use libdd_http_client::{HttpClient, HttpClientError, HttpMethod, HttpRequest, RetryConfig};
 use std::time::Duration;
 
+fn ensure_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_retries_on_503() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -43,6 +48,7 @@ async fn test_retries_on_503() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_retries_on_404() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -78,6 +84,7 @@ async fn test_retries_on_404() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_no_retry_when_not_configured() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     let mock = server
@@ -101,6 +108,7 @@ async fn test_no_retry_when_not_configured() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_succeeds_after_transient_failure() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     // First two calls return 503, third returns 200
@@ -139,6 +147,7 @@ async fn test_succeeds_after_transient_failure() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_retries_on_connection_error() {
+    ensure_crypto_provider();
     // Port 1 — nothing listening
     let client = HttpClient::builder()
         .base_url("http://127.0.0.1:1".to_owned())
@@ -161,6 +170,7 @@ async fn test_retries_on_connection_error() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_backoff_increases() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     server
diff --git a/libdd-http-client/tests/timeout_test.rs b/libdd-http-client/tests/timeout_test.rs
@@ -5,9 +5,14 @@ use httpmock::prelude::*;
 use libdd_http_client::{HttpClient, HttpClientError, HttpMethod, HttpRequest};
 use std::time::Duration;
 
+fn ensure_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_request_times_out() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     server
@@ -31,6 +36,7 @@ async fn test_request_times_out() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_per_request_timeout_overrides_client() {
+    ensure_crypto_provider();
     let server = MockServer::start_async().await;
 
     server
@@ -57,6 +63,7 @@ async fn test_per_request_timeout_overrides_client() {
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_connection_refused() {
+    ensure_crypto_provider();
     // Use port 1 which is very unlikely to have a listener.
     let client = HttpClient::new("http://127.0.0.1:1".to_owned(), Duration::from_secs(1)).unwrap();
 
diff --git a/libdd-http-client/tests/uds_round_trip.rs b/libdd-http-client/tests/uds_round_trip.rs
@@ -10,9 +10,14 @@ use std::time::Duration;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::UnixListener;
 
+fn ensure_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_uds_round_trip() {
+    ensure_crypto_provider();
     let dir = tempfile::tempdir().unwrap();
     let socket_path = dir.path().join("test.sock");
 
diff --git a/libdd-http-client/tests/windows_named_pipe.rs b/libdd-http-client/tests/windows_named_pipe.rs
@@ -8,9 +8,14 @@ use std::time::Duration;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::windows::named_pipe::ServerOptions;
 
+fn ensure_crypto_provider() {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+}
+
 #[cfg_attr(miri, ignore)]
 #[tokio::test]
 async fn test_named_pipe_round_trip() {
+    ensure_crypto_provider();
     let pipe_name = format!(
         r"\\.\pipe\dd_http_client_test_{}_{}",
         std::process::id(),
@@ -49,6 +54,7 @@ async fn test_named_pipe_round_trip() {
 
 #[test]
 fn test_named_pipe_client_constructs() {
+    ensure_crypto_provider();
     let client = HttpClient::builder()
         .base_url("http://localhost".to_owned())
         .timeout(Duration::from_secs(5))
