Skip to content

fix(tls): use OS certificate store for corporate SSL inspection#599

Merged
icebear0828 merged 1 commit into
devfrom
fix/tls-native-roots
May 27, 2026
Merged

fix(tls): use OS certificate store for corporate SSL inspection#599
icebear0828 merged 1 commit into
devfrom
fix/tls-native-roots

Conversation

@icebear0828
Copy link
Copy Markdown
Owner

@icebear0828 icebear0828 commented May 27, 2026

Summary

  • Switch reqwest feature from rustls-tls (bundled webpki-roots) to rustls-tls-native-roots (reads OS certificate store)
  • Corporate CAs (Cloudflare Access, Zscaler, etc.) are now trusted automatically without manual config
  • TLS fingerprint unchanged — ClientHello determined by pinned rustls 0.23.36, not root CA source

Closes #598

Test plan

  • cargo check — compiles cleanly
  • cargo build --release — native addon builds
  • npm test — 239 files / 2356 tests pass, zero regression
  • Manual: verify with Cloudflare Access / corporate SSL inspection environment

@icebear0828
fix(tls): use OS certificate store for corporate SSL inspection (#598)
a5d0963 
Switch reqwest from `rustls-tls` (bundled webpki-roots) to
`rustls-tls-native-roots` (reads OS certificate store) so corporate
CAs like Cloudflare Access Gateway are trusted automatically.

TLS fingerprint is unaffected — ClientHello is determined by the
pinned rustls version, not the root CA source.

Closes #598
@FlavienKlr
Copy link
Copy Markdown

FlavienKlr commented May 27, 2026

Tested on Windows 11 behind Cloudflare Access (Zero Trust Traffic & DNS mode) with corporate Gateway CA - Cloudflare Managed G1, fix works perfectly. ✅

Before: Every upstream request failed with invalid peer certificate: UnknownIssuer (webpki-roots missing the
corporate CA).

After: rustls-tls-native-roots picks up the CA from the Windows cert store immediately. No config changes needed

One note for other enterprise users: if you build from source behind Cloudflare Access, you may need:

  • NODE_EXTRA_CA_CERTS pointing to your corporate cert for npm install
  • CARGO_HTTP_CHECK_REVOKE=false for cargo build (schannel revocation check can fail with corporate proxy inspection)

Thanks for the quick turnaround!

image

@icebear0828 icebear0828 merged commit 9b82e05 into dev May 27, 2026
1 check passed
icebear0828 added a commit that referenced this pull request May 27, 2026
@icebear0828
docs: add CHANGELOG entries for #595/#596/#599/#602 and new contributors
9007aaa 
- CHANGELOG: CORS allowlist, Docker arch detection, OS cert store, output backfill
- README/README_EN: add @aeltorio, @williamjameshandley, @FlavienKlr to contributors
@icebear0828 icebear0828 deleted the fix/tls-native-roots branch May 27, 2026 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

UnknownIssuer certificate error (Cloudflare Access corporate SSL inspection) - webpki-roots missing Gateway CA

2 participants

@icebear0828 @FlavienKlr