From 87faf818ff8b763230c003181b7ee7e2e88c4c3b Mon Sep 17 00:00:00 2001
From: dasha_uwu <dasha@linuxping.win>
Date: Wed, 11 Feb 2026 03:17:06 +0500
Subject: [PATCH] Add webpki roots for reqwest clients. (fixes #296)

---
 Cargo.lock                | 2 ++
 Cargo.toml                | 3 +++
 src/main/Cargo.toml       | 1 +
 src/service/Cargo.toml    | 1 +
 src/service/client/mod.rs | 9 ++++++++-
 5 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/Cargo.lock b/Cargo.lock
index 87cf36a9..3ee7fcc8 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -5229,6 +5229,7 @@ dependencies = [
  "tuwunel_macros",
  "tuwunel_router",
  "tuwunel_service",
+ "webpki-root-certs",
 ]
 
 [[package]]
@@ -5448,6 +5449,7 @@ dependencies = [
  "tuwunel_database",
  "url",
  "webpage",
+ "webpki-root-certs",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index 80ef0449..bc602ecb 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -566,6 +566,9 @@ features = ["serde"]
 version = "2.0"
 default-features = false
 
+[workspace.dependencies.webpki-root-certs]
+version = "1.0"
+
 #
 # Patches
 #
diff --git a/src/main/Cargo.toml b/src/main/Cargo.toml
index 9b9703bf..aafc5545 100644
--- a/src/main/Cargo.toml
+++ b/src/main/Cargo.toml
@@ -233,6 +233,7 @@ tracing-opentelemetry.optional = true
 tracing-opentelemetry.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
+webpki-root-certs.workspace = true
 
 [dev-dependencies]
 criterion.workspace = true
diff --git a/src/service/Cargo.toml b/src/service/Cargo.toml
index 61e60d2c..a96eb0bb 100644
--- a/src/service/Cargo.toml
+++ b/src/service/Cargo.toml
@@ -120,6 +120,7 @@ tracing.workspace = true
 url.workspace = true
 webpage.workspace = true
 webpage.optional = true
+webpki-root-certs.workspace = true
 blurhash.workspace = true
 blurhash.optional = true
 tuwunel-core.workspace = true
diff --git a/src/service/client/mod.rs b/src/service/client/mod.rs
index 57cb0321..190fc59d 100644
--- a/src/service/client/mod.rs
+++ b/src/service/client/mod.rs
@@ -4,7 +4,7 @@ use std::{
 };
 
 use ipaddress::IPAddress;
-use reqwest::{dns::Resolve, redirect};
+use reqwest::{Certificate, dns::Resolve, redirect};
 use tuwunel_core::{Config, Result, either::Either, err, implement, trace};
 
 use crate::{service, services::OnceServices};
@@ -141,6 +141,13 @@ fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
 		.user_agent(tuwunel_core::version::user_agent())
 		.redirect(redirect::Policy::limited(6))
 		.danger_accept_invalid_certs(config.allow_invalid_tls_certificates)
+		.tls_certs_merge(
+			webpki_root_certs::TLS_SERVER_ROOT_CERTS
+				.iter()
+				.map(|der| {
+					Certificate::from_der(der).expect("certificate must be valid der encoding")
+				}),
+		)
 		.connection_verbose(cfg!(debug_assertions));
 
 	#[cfg(feature = "gzip_compression")]