docs-internal/engine/tls-trust-roots.md
Rules for outbound TLS client configuration across the repo.
For rustls-based outbound TLS clients (tokio-tungstenite, reqwest), always enable BOTH rustls-tls-native-roots and rustls-tls-webpki-roots together so the crates build a union root store.
ca-certificates) fall through to the bundled Mozilla list.Pinned in workspace Cargo.toml (tokio-tungstenite) and in rivetkit-rust/packages/client/Cargo.toml (reqwest + tokio-tungstenite).
Engine-internal HTTPS clients on hyper-tls / native-tls intentionally stay on OpenSSL. These include:
reqwestThey run in operator-controlled containers and already honor the system trust store.
webpki-roots periodically so the bundled Mozilla CA list does not go stale.