Skip to content

Commit 2f683c0

Browse files
rust: default to rustls TLS backend, add native-tls opt-in (#1805)
The Rust crate hard-coded the OpenSSL-backed native-tls stack for its request-handler HTTP (reqwest `default-tls`) and WebSocket (tokio-tungstenite `native-tls`) clients, pulling in `openssl-sys`. That breaks `*-unknown-linux-musl` / fully-static builds (no OpenSSL sysroot) and adds a dynamic `libssl` runtime dependency on glibc. Make TLS feature-gated and default to rustls: - `rustls-tls` (default): reqwest `rustls-tls-native-roots` + tokio-tungstenite `rustls-tls-native-roots`, using rustls with the `ring` provider and the OS trust store. OpenSSL-free, so musl/static targets cross-compile with no system OpenSSL. - `native-tls` (opt-in): keeps the platform-native stack for consumers who want it. The transport code is TLS-backend-agnostic (`reqwest::Client::builder()` + `connect_async`), so no source changes were needed. For `wss://`, tokio-tungstenite resolves the rustls crypto provider via Cargo feature unification on the shared `rustls` crate (reqwest pins `ring`). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 91eaa4b commit 2f683c0

3 files changed

Lines changed: 209 additions & 10 deletions

File tree

rust/Cargo.lock

Lines changed: 178 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

rust/Cargo.toml

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,29 @@ include = [
2626
name = "github_copilot_sdk"
2727

2828
[features]
29-
default = ["bundled-cli"]
29+
default = ["bundled-cli", "rustls-tls"]
3030
bundled-cli = ["dep:tar", "dep:flate2", "dep:zip"]
3131
derive = ["dep:schemars"]
3232
test-support = []
3333

34+
# TLS backend for the request-handler HTTP/WebSocket transport. Enable at least
35+
# one; `rustls-tls` is the default. `rustls-tls` uses rustls with the `ring`
36+
# provider and the OS trust store, keeping the SDK OpenSSL-free so musl/static
37+
# targets build without an OpenSSL sysroot. `native-tls` links the platform
38+
# stack (OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows).
39+
# Cargo features are additive, so enabling both is unnecessary — when both are
40+
# present (e.g. under `--all-features`) the transport prefers native-tls.
41+
# Disabling default features drops `rustls-tls` along with `bundled-cli`;
42+
# re-add a TLS feature to keep the transport working over HTTPS.
43+
rustls-tls = [
44+
"reqwest/rustls-tls-native-roots",
45+
"tokio-tungstenite/rustls-tls-native-roots",
46+
]
47+
native-tls = [
48+
"reqwest/native-tls",
49+
"tokio-tungstenite/native-tls",
50+
]
51+
3452
# Build docs.rs documentation with all features so feature-gated APIs
3553
# (e.g. `define_tool`, `schema_for`) appear and intra-doc links resolve.
3654
# Mirror this locally with: `cargo doc --no-deps --all-features`.
@@ -58,8 +76,8 @@ base64 = "0.22"
5876
bytes = "1"
5977
http = "1"
6078
futures-util = "0.3"
61-
reqwest = { version = "0.12", default-features = false, features = ["stream", "http2", "default-tls"] }
62-
tokio-tungstenite = { version = "0.24", default-features = false, features = ["connect", "native-tls"] }
79+
reqwest = { version = "0.12", default-features = false, features = ["stream", "http2"] }
80+
tokio-tungstenite = { version = "0.24", default-features = false, features = ["connect"] }
6381

6482
[target.'cfg(windows)'.dependencies]
6583
zip = { version = "2", default-features = false, features = ["deflate"], optional = true }

rust/README.md

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -902,17 +902,25 @@ Supported: `darwin-arm64`, `darwin-x64`, `linux-x64`, `linux-arm64`, `win32-x64`
902902
| Feature | Default | Description |
903903
| -------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
904904
| `bundled-cli` || Build-time CLI embedding. Pulls in `tar`+`flate2` (Linux/macOS) or `zip` (Windows). Disable via `default-features = false` to opt out (e.g. when shipping a smaller binary or when always supplying the CLI via `CliProgram::Path` / `COPILOT_CLI_PATH`). |
905+
| `rustls-tls` || TLS backend for the `CopilotRequestHandler` HTTP/WebSocket transport, using rustls with the `ring` provider and the OS trust store. OpenSSL-free, so `*-unknown-linux-musl` and other fully-static targets cross-compile without a system OpenSSL sysroot, and glibc binaries gain no `libssl` runtime dependency. |
906+
| `native-tls` || Alternative TLS backend for the transport, linking the platform-native stack (OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows). Enable it together with `default-features = false` when you specifically want the system TLS stack rather than rustls. |
905907
| `derive` || `schema_for::<T>()` for generating JSON Schema from Rust types (adds `schemars`). Enable when defining [tool parameters](#tool-registration). |
906908

909+
> **Note:** `default-features = false` drops the default `rustls-tls` backend along with `bundled-cli`. The request-handler transport needs a TLS backend to reach HTTPS upstreams, so re-add either `rustls-tls` or `native-tls` whenever you turn default features off.
910+
907911
```toml
908912
# These examples use registry syntax for illustration; until the crate is
909913
# published, use a path or git dependency instead.
910914

911-
# Default — bundles the Copilot CLI in your binary.
915+
# Default — bundles the Copilot CLI in your binary and uses the rustls TLS backend.
912916
github-copilot-sdk = "0.1"
913917

914918
# Opt out of bundling — resolve CLI from COPILOT_CLI_PATH or system PATH instead.
915-
github-copilot-sdk = { version = "0.1", default-features = false }
919+
# Re-add a TLS backend since disabling default features also drops rustls-tls.
920+
github-copilot-sdk = { version = "0.1", default-features = false, features = ["rustls-tls"] }
921+
922+
# Use the platform-native TLS stack (e.g. system OpenSSL) instead of rustls.
923+
github-copilot-sdk = { version = "0.1", default-features = false, features = ["bundled-cli", "native-tls"] }
916924

917925
# Derive JSON Schema for tool parameters (adds to default bundled-cli).
918926
github-copilot-sdk = { version = "0.1", features = ["derive"] }

0 commit comments

Comments
 (0)