Please provide a feature flag to use webpki-roots rather than native roots

[joshtriplett]

Feature Request

Crates

tonic

Motivation

I'd like to build a static binary, which will be deployed to a system that doesn't have any system TLS roots. I'd like to compile in webpki-roots, rather than using rustls-native-roots.

Proposal

I'd love to have a feature flag (something like tls-webpki-roots) that enables the use of webpki-roots rather than rustls-native-roots. That feature flag could enable an optional webpki-roots dependency, and feed the webpki-roots certificates into rustls.

I'd be happy to supply a pull request implementing this proposal, if it sounds like a reasonable approach.

[joshtriplett]

I'm currently working around this by doing the following:

        let mut rustls_config = rustls::ClientConfig::new();
        rustls_config
            .root_store
            .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
        rustls_config.alpn_protocols = vec![b"h2".to_vec()];
        let tonic_tls_config = tonic::transport::ClientTlsConfig::new().rustls_client_config(rustls_config);

This seems cumbersome, requires matching the version of rustls used by tonic and the version of webpki-roots used by rustls, and requires dealing with internal details like setting alpn_protocols.

[davidpdrsn]

We actually do the exact same thing at Embark so I think it makes to add this to tonic.

@LucioFranco what do you think?

[joshtriplett]

I wrote a PR for this: #660

[joshtriplett]

Closing this since #660 has been merged.