feat(ahp-ws): make WebSocket TLS backend selectable, default to rustls#256
Merged
Conversation
ahp-ws unconditionally enabled `tokio-tungstenite/native-tls`, which Cargo feature unification forced onto every consumer sharing the tokio-tungstenite node — overriding downstream binaries that wanted rustls and dragging OpenSSL onto Linux builds. Gate the backend behind Cargo features (`native-tls`, `rustls-tls-native-roots`, `rustls-tls-webpki-roots`) and default to `rustls-tls-native-roots` with the `ring` provider: a pure-Rust stack with no OpenSSL on Linux that still validates against the OS trust store, preserving the TLS-intercepting-proxy / enterprise-CA invariant. tokio-tungstenite now uses `default-features = false`; an optional `rustls` dep supplies the crypto provider so tungstenite's `ClientConfig::builder()` path doesn't panic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the Rust ahp-ws WebSocket transport crate to make the wss:// TLS backend selectable via Cargo features, with a rustls-based option intended to be the default, and documents the new behavior for downstream consumers.
Changes:
- Add crate-level Cargo features to select the WebSocket TLS backend (rustls-native-roots default, rustls-webpki-roots, or native-tls).
- Update crate docs/README and inline API docs to describe TLS backend selection and expected behavior when TLS is disabled.
- Add Rust workspace changelog entries and refresh the Rust workspace lockfile to reflect the new dependency graph.
Show a summary per file
| File | Description |
|---|---|
| clients/rust/crates/ahp-ws/src/transport.rs | Updates connect API docs to reflect feature-selected TLS backend for wss://. |
| clients/rust/crates/ahp-ws/src/lib.rs | Adds crate-level documentation explaining TLS backend feature selection. |
| clients/rust/crates/ahp-ws/README.md | Updates public README to describe TLS backend options and defaults. |
| clients/rust/crates/ahp-ws/Cargo.toml | Introduces TLS backend features and adjusts tokio-tungstenite/rustls dependencies accordingly. |
| clients/rust/CHANGELOG.md | Records the user-visible TLS backend selection change for the Rust crates. |
| clients/rust/Cargo.lock | Updates lockfile to include newly introduced TLS-related dependencies. |
Copilot's findings
- Files reviewed: 5/6 changed files
- Comments generated: 2
Address review feedback: ring still builds C/asm via cc, so reword the Cargo.toml comment to focus on avoiding cmake/NASM and external system TLS libraries (OpenSSL) rather than claiming no C toolchain. Document that when Cargo feature unification enables more than one TLS backend, native-tls wins because tokio-tungstenite's auto-connector prefers it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
connor4312
approved these changes
Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
ahp-wsunconditionally enabledtokio-tungstenite = { features = ["native-tls"] }. Two facts combine to make that decision leak out of this crate and onto everyone downstream:tokio-tungstenitenode,native-tlsis compiled in for all consumers.#[cfg(feature = "native-tls")]first, only falling through to rustls under#[cfg(all(__rustls-tls, not(native-tls)))].The upshot (documented in github/copilot-host#298): copilotd's request for
rustls-tls-native-rootscan never win whileahp-wsforcesnative-tls, andahp-wsdrags OpenSSL onto Linux builds regardless. This moves the lever back into AHP.What
Gate the WebSocket TLS backend behind Cargo features instead of hard-coding it:
rustls-tls-native-roots(default)rustls-tls-webpki-rootsnative-tlstokio-tungstenitenow usesdefault-features = false(justconnect+handshake); each feature re-exports the matching tungstenite TLS feature.rustls-tls-native-roots, is a pure-Rust stack — no OpenSSL on Linux — that still validates against the OS trust store, preserving the TLS-intercepting-egress-proxy / enterprise-CA invariant thatnative-tlsprovided.rustlsdep (default-features = false, features = ["ring", "std", "tls12"]) is pulled in by the rustls features so the shared rustls 0.23 node has a crypto provider. Without this, tungstenite's rustls connector callsClientConfig::builder()→CryptoProvider::get_default()and panics on the firstwss://dial.ringkeeps the build portable (no C toolchain, unlikeaws-lc-rs).ws://still works andwss://fails at connect time.Downstreams (e.g. copilotd) can now get rustls for free, or opt back into native-tls with
default-features = false, features = ["native-tls"].Validation
native-tls,rustls-tls-webpki-roots, and no-TLS).ring+rustls+rustls-native-certsand zero OpenSSL.cargo clippy --workspace -- -D warnings,cargo test --workspace, andcargo docall pass.rust-version = "1.75".CHANGELOG updated under
clients/rust/CHANGELOG.md(Added + Changed).