bitwarden · dani-garcia · Jan 8, 2024 · Dec 1, 2023 · Dec 1, 2023 · Dec 13, 2023
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/about.toml b/about.toml
@@ -8,4 +8,9 @@ accepted = [
     "MPL-2.0",
     "LGPL-3.0",
     "Unicode-DFS-2016",
+    "OpenSSL",
 ]
+
+# Ring has all the licenses combined into a single file, which causes cargo about to 
+# be confused about it. Thankfully it includes a workaround for this that we can enable.
+workarounds = ["ring"]
diff --git a/crates/bitwarden-api-api/Cargo.toml b/crates/bitwarden-api-api/Cargo.toml
@@ -22,5 +22,6 @@ uuid = { version = ">=1.3.3, <2", features = ["serde"] }
 [dependencies.reqwest]
 version = ">=0.11.18, <0.12"
 features = ["json", "multipart"]
+default-features = false
 
 [dev-dependencies]
diff --git a/crates/bitwarden-api-identity/Cargo.toml b/crates/bitwarden-api-identity/Cargo.toml
@@ -22,5 +22,6 @@ uuid = { version = ">=1.3.3, <2", features = ["serde"] }
 [dependencies.reqwest]
 version = ">=0.11.18, <0.12"
 features = ["json", "multipart"]
+default-features = false
 
 [dev-dependencies]
diff --git a/crates/bitwarden-uniffi/Cargo.toml b/crates/bitwarden-uniffi/Cargo.toml
@@ -25,6 +25,3 @@ bitwarden = { path = "../bitwarden", features = ["mobile", "internal"] }
 
 [build-dependencies]
 uniffi = { version = "=0.25.2", features = ["build"] }
-
-[target.'cfg(any(target_os = "android", target_os = "ios"))'.dependencies]
-openssl = { version = "0.10", features = ["vendored"] }
diff --git a/crates/bitwarden/Cargo.toml b/crates/bitwarden/Cargo.toml
@@ -46,7 +46,9 @@ num-bigint = ">=0.4, <0.5"
 num-traits = ">=0.2.15, <0.3"
 pbkdf2 = { version = ">=0.12.1, <0.13", default-features = false }
 rand = ">=0.8.5, <0.9"
-reqwest = { version = ">=0.11, <0.12", features = ["json"] }
+reqwest = { version = ">=0.11, <0.12", features = [
+    "json",
+], default-features = false }
 rsa = ">=0.9.2, <0.10"
 schemars = { version = ">=0.8.9, <0.9", features = ["uuid1", "chrono"] }
 serde = { version = ">=1.0, <2.0", features = ["derive"] }
@@ -60,6 +62,23 @@ thiserror = ">=1.0.40, <2.0"
 uniffi = { version = "=0.25.2", optional = true, features = ["tokio"] }
 uuid = { version = ">=1.3.3, <2.0", features = ["serde"] }
 
+[target.'cfg(all(not(target_os = "android"), not(target_arch="wasm32")))'.dependencies]
+# By default, we use rustls as the TLS stack and rust-platform-verifier to support user-installed root certificates
+# There are a few exceptions to this:
+# - WASM doesn't require a TLS stack, as it just uses the browsers/node fetch
+# - Android uses webpki-roots for the moment
+reqwest = { version = "*", features = [
+    "rustls-tls-manual-roots",
+], default-features = false }
+rustls-platform-verifier = { git = "https://github.com/rustls/rustls-platform-verifier/", rev = "e4194174f2b4b235ed13fc057ce89b19894321e6" }
+
+[target.'cfg(target_os = "android")'.dependencies]
+# On android, the use of rustls-platform-verifier is more complicated and going through some changes at the moment, so we fall back to using webpki-roots
+# This means that for the moment android won't support self-signed certificates, even if they are included in the OS trust store
+reqwest = { version = "*", features = [
+    "rustls-tls-webpki-roots",
+], default-features = false }
+
 [dev-dependencies]
 rand_chacha = "0.3.1"
 tokio = { version = "1.35.0", features = ["rt", "macros"] }

diff --git a/crates/bitwarden/src/client/client.rs b/crates/bitwarden/src/client/client.rs
@@ -86,10 +86,16 @@ impl Client {
 
         let headers = header::HeaderMap::new();
 
-        let client = reqwest::Client::builder()
-            .default_headers(headers)
-            .build()
-            .unwrap();
+        #[allow(unused_mut)]
+        let mut client_builder = reqwest::Client::builder().default_headers(headers);
+
+        #[cfg(all(not(target_os = "android"), not(target_arch = "wasm32")))]
+        {
+            client_builder =
+                client_builder.use_preconfigured_tls(rustls_platform_verifier::tls_config());
+        }
+
+        let client = client_builder.build().unwrap();
 
         let identity = bitwarden_api_identity::apis::configuration::Configuration {
             base_path: settings.identity_url,

diff --git a/crates/bws/Cargo.toml b/crates/bws/Cargo.toml
@@ -44,6 +44,3 @@ bitwarden = { path = "../bitwarden", version = "0.3.1", features = ["secrets"] }
 
 [dev-dependencies]
 tempfile = "3.8.1"
-
-[target.'cfg(target_os = "linux")'.dependencies]
-openssl = { version = "0.10", features = ["vendored"] }
diff --git a/support/openapi-template/Cargo.mustache b/support/openapi-template/Cargo.mustache
@@ -27,6 +27,7 @@ reqwest = "~0.9"
 [dependencies.reqwest]
 version = "^0.11"
 features = ["json", "multipart"]
+default-features = false
 {{/supportAsync}}
 {{/reqwest}}
 {{#withAWSV4Signature}}