Turbopack: Add an option to use system TLS certificates (fixes vercel#79060, fixes vercel#79059) (vercel#81818)

It's common in enterprise environments for employers to MITM all HTTPS traffic on employee machines to enforce network policies or to detect and block malware. For this to work, they install custom CA roots into the system store. Applications must read from this store.

The default behavior of `reqwests` is to bundle the mozilla CA roots into the application, and only trust those. This is reasonable given some of the tradeoffs of the current rustls resolver implementations they use, but long-term it's better for most applications to just use the system CA store.

This provides an opt-in experimental option for using the system CA store. We may use system CA certs by default in the future once seanmonstar/reqwest#2159 is resolved.

Fixes vercel#79059
Fixes vercel#79060

### Testing

- Install [mitmproxy](https://docs.mitmproxy.org/stable/overview/installation/).
- Install the generated mitmproxy CA cert to the system store: https://docs.mitmproxy.org/stable/concepts/certificates/
- Run `./mitmdump` (with no arguments)
- Run an example app that uses google fonts:

```
pnpm pack-next --project ~/shadcn-ui/apps/v4 --no-js-build -- --release
cd ~/shadcn-ui/apps/v4
pnpm i
NEXT_TURBOPACK_EXPERIMENTAL_USE_SYSTEM_TLS_CERTS=0 HTTP_PROXY=localhost:8080 HTTPS_PROXY=localhost:8080 pnpm dev
NEXT_TURBOPACK_EXPERIMENTAL_USE_SYSTEM_TLS_CERTS=1 HTTP_PROXY=localhost:8080 HTTPS_PROXY=localhost:8080 pnpm dev
```

When system TLS certs are disabled, we get warnings like this:

```
 ⚠ [next]/internal/font/google/geist_mono_77f2790.module.css
Error while requesting resource
There was an issue establishing a connection while requesting https://fonts.googleapis.com/css2?family=Geist+Mono:wght@400&display=swap.

Import trace:
  [next]/internal/font/google/geist_mono_77f2790.module.css
  [next]/internal/font/google/geist_mono_77f2790.js
  ./apps/v4/lib/fonts.ts
  ./apps/v4/app/layout.tsx
```

And mitmproxy shows the handshakes failing

![Screenshot 2025-07-21 at 1.11.11 PM.png](https://graphite-user-uploaded-assets-prod.s3.amazonaws.com/HAZVitxRNnZz8QMiPn4a/2efc4b97-f50e-412c-9daf-5cdd00a6d82b.png)

When system TLS certs are enabled, the app works.

Author: bgw

.changeset/silent-houses-lay.md

@@ -0,0 +1,5 @@
+---
+'@next/swc': patch
+---
+
+Added an experimental option for using the system CA store for fetching Google Fonts in Turbopack

Cargo.lock

@@ -400,7 +400,7 @@ rand = "0.9.0"
 rayon = "1.10.0"
 regex = "1.10.6"
 regress = "0.10.3"
-reqwest = { version = "0.12.20", default-features = false }
+reqwest = { version = "0.12.22", default-features = false }
 ringmap = "0.1.3"
 roaring = "0.10.10"
 rstest = "0.16.0"

Cargo.toml

@@ -3,12 +3,13 @@ use rustc_hash::FxHashSet;
 use serde::{Deserialize, Deserializer, Serialize};
 use serde_json::Value as JsonValue;
 use turbo_esregex::EsRegex;
-use turbo_rcstr::RcStr;
+use turbo_rcstr::{RcStr, rcstr};
 use turbo_tasks::{
     FxIndexMap, NonLocalValue, OperationValue, ResolvedVc, TaskInput, Vc, debug::ValueDebugFormat,
     trace::TraceRawVcs,
 };
-use turbo_tasks_env::EnvMap;
+use turbo_tasks_env::{EnvMap, ProcessEnv};
+use turbo_tasks_fetch::ReqwestClientConfig;
 use turbo_tasks_fs::FileSystemPath;
 use turbopack::module_options::{
     ConditionItem, ConditionPath, LoaderRuleItem, OptionWebpackRules,
@@ -801,6 +802,7 @@ pub struct ExperimentalConfig {
     turbopack_source_maps: Option<bool>,
     turbopack_tree_shaking: Option<bool>,
     turbopack_scope_hoisting: Option<bool>,
+    turbopack_use_system_tls_certs: Option<bool>,
     // Whether to enable the global-not-found convention
     global_not_found: Option<bool>,
     /// Defaults to false in development mode, true in production mode.
@@ -1721,6 +1723,32 @@ impl NextConfig {
     pub fn output_file_tracing_excludes(&self) -> Vc<OptionJsonValue> {
         Vc::cell(self.output_file_tracing_excludes.clone())
     }
+
+    #[turbo_tasks::function]
+    pub async fn reqwest_client_config(
+        &self,
+        env: Vc<Box<dyn ProcessEnv>>,
+    ) -> Result<Vc<ReqwestClientConfig>> {
+        // Support both an env var and the experimental flag to provide more flexibility to
+        // developers on locked down systems, depending on if they want to configure this on a
+        // per-system or per-project basis.
+        let use_system_tls_certs = env
+            .read(rcstr!("NEXT_TURBOPACK_EXPERIMENTAL_USE_SYSTEM_TLS_CERTS"))
+            .await?
+            .as_ref()
+            .and_then(|env_value| {
+                // treat empty value same as an unset value
+                (!env_value.is_empty()).then(|| env_value == "1" || env_value == "true")
+            })
+            .or(self.experimental.turbopack_use_system_tls_certs)
+            .unwrap_or(false);
+        Ok(ReqwestClientConfig {
+            proxy: None,
+            tls_built_in_webpki_certs: !use_system_tls_certs,
+            tls_built_in_native_certs: use_system_tls_certs,
+        }
+        .cell())
+    }
 }
 
 /// A subset of ts/jsconfig that next.js implicitly

crates/next-core/src/next_config.rs

@@ -182,6 +182,7 @@ pub struct NextFontGoogleCssModuleReplacer {
     project_path: FileSystemPath,
     execution_context: ResolvedVc<ExecutionContext>,
     next_mode: ResolvedVc<NextMode>,
+    reqwest_client_config: ResolvedVc<ReqwestClientConfig>,
 }
 
 #[turbo_tasks::value_impl]
@@ -191,11 +192,13 @@ impl NextFontGoogleCssModuleReplacer {
         project_path: FileSystemPath,
         execution_context: ResolvedVc<ExecutionContext>,
         next_mode: ResolvedVc<NextMode>,
+        reqwest_client_config: ResolvedVc<ReqwestClientConfig>,
     ) -> Vc<Self> {
         Self::cell(NextFontGoogleCssModuleReplacer {
             project_path,
             execution_context,
             next_mode,
+            reqwest_client_config,
         })
     }
 
@@ -228,7 +231,14 @@ impl NextFontGoogleCssModuleReplacer {
         let stylesheet_str = mocked_responses_path
             .as_ref()
             .map_or_else(
-                || fetch_real_stylesheet(stylesheet_url.clone(), css_virtual_path.clone()).boxed(),
+                || {
+                    fetch_real_stylesheet(
+                        stylesheet_url.clone(),
+                        css_virtual_path.clone(),
+                        *self.reqwest_client_config,
+                    )
+                    .boxed()
+                },
                 |p| get_mock_stylesheet(stylesheet_url.clone(), p, *self.execution_context).boxed(),
             )
             .await?;
@@ -365,13 +375,20 @@ struct NextFontGoogleFontFileOptions {
 #[turbo_tasks::value(shared)]
 pub struct NextFontGoogleFontFileReplacer {
     project_path: FileSystemPath,
+    reqwest_client_config: ResolvedVc<ReqwestClientConfig>,
 }
 
 #[turbo_tasks::value_impl]
 impl NextFontGoogleFontFileReplacer {
     #[turbo_tasks::function]
-    pub fn new(project_path: FileSystemPath) -> Vc<Self> {
-        Self::cell(NextFontGoogleFontFileReplacer { project_path })
+    pub fn new(
+        project_path: FileSystemPath,
+        reqwest_client_config: ResolvedVc<ReqwestClientConfig>,
+    ) -> Vc<Self> {
+        Self::cell(NextFontGoogleFontFileReplacer {
+            project_path,
+            reqwest_client_config,
+        })
     }
 }
 
@@ -426,7 +443,12 @@ impl ImportMappingReplacement for NextFontGoogleFontFileReplacer {
 
         // doesn't seem ideal to download the font into a string, but probably doesn't
         // really matter either.
-        let Some(font) = fetch_from_google_fonts(url.into(), font_virtual_path.clone()).await?
+        let Some(font) = fetch_from_google_fonts(
+            url.into(),
+            font_virtual_path.clone(),
+            *self.reqwest_client_config,
+        )
+        .await?
         else {
             return Ok(ImportMapResult::Result(ResolveResult::unresolvable()).cell());
         };
@@ -650,20 +672,23 @@ fn font_file_options_from_query_map(query: &RcStr) -> Result<NextFontGoogleFontF
 async fn fetch_real_stylesheet(
     stylesheet_url: RcStr,
     css_virtual_path: FileSystemPath,
+    reqwest_client_config: Vc<ReqwestClientConfig>,
 ) -> Result<Option<Vc<RcStr>>> {
-    let body = fetch_from_google_fonts(stylesheet_url, css_virtual_path).await?;
+    let body =
+        fetch_from_google_fonts(stylesheet_url, css_virtual_path, reqwest_client_config).await?;
 
     Ok(body.map(|body| body.to_string()))
 }
 
 async fn fetch_from_google_fonts(
     url: RcStr,
     virtual_path: FileSystemPath,
+    reqwest_client_config: Vc<ReqwestClientConfig>,
 ) -> Result<Option<Vc<HttpResponseBody>>> {
     let result = fetch(
         url,
         Some(rcstr!(USER_AGENT_FOR_GOOGLE_FONTS)),
-        ReqwestClientConfig { proxy: None }.cell(),
+        reqwest_client_config,
     )
     .await?;
 

crates/next-core/src/next_font/google/mod.rs

@@ -1022,13 +1022,15 @@ async fn insert_next_shared_aliases(
         next_font_google_replacer_mapping,
     );
 
+    let reqwest_client_config = next_config.reqwest_client_config(execution_context.env());
     import_map.insert_alias(
         AliasPattern::exact("@vercel/turbopack-next/internal/font/google/cssmodule.module.css"),
         ImportMapping::Dynamic(ResolvedVc::upcast(
             NextFontGoogleCssModuleReplacer::new(
                 project_path.clone(),
                 execution_context,
                 next_mode,
+                reqwest_client_config,
             )
             .to_resolved()
             .await?,
@@ -1039,7 +1041,7 @@ async fn insert_next_shared_aliases(
     import_map.insert_alias(
         AliasPattern::exact(GOOGLE_FONTS_INTERNAL_PREFIX),
         ImportMapping::Dynamic(ResolvedVc::upcast(
-            NextFontGoogleFontFileReplacer::new(project_path.clone())
+            NextFontGoogleFontFileReplacer::new(project_path.clone(), reqwest_client_config)
                 .to_resolved()
                 .await?,
         ))

crates/next-core/src/next_import_map.rs

@@ -462,6 +462,26 @@ export const configSchema: zod.ZodType<NextConfig> = z.lazy(() =>
         turbopackTreeShaking: z.boolean().optional(),
         turbopackRemoveUnusedExports: z.boolean().optional(),
         turbopackScopeHoisting: z.boolean().optional(),
+        /**
+         * Use the system-provided CA roots instead of bundled CA roots for external HTTPS requests
+         * made by Turbopack. Currently this is only used for fetching data from Google Fonts.
+         *
+         * This may be useful in cases where you or an employer are MITMing traffic.
+         *
+         * This option is experimental because:
+         * - This may cause small performance problems, as it uses [`rustls-native-certs`](
+         *   https://github.com/rustls/rustls-native-certs).
+         * - In the future, this may become the default, and this option may be eliminated, once
+         *   <https://github.com/seanmonstar/reqwest/issues/2159> is resolved.
+         *
+         * Users who need to configure this behavior system-wide can override the project
+         * configuration using the `NEXT_TURBOPACK_EXPERIMENTAL_USE_SYSTEM_TLS_CERTS=1` environment
+         * variable.
+         *
+         * This option is ignored on Windows on ARM, where the native TLS implementation is always
+         * used.
+         */
+        turbopackUseSystemTlsCerts: z.boolean().optional(),
         optimizePackageImports: z.array(z.string()).optional(),
         optimizeServerReact: z.boolean().optional(),
         clientTraceMetadata: z.array(z.string()).optional(),

packages/next/src/server/config-schema.ts

@@ -20,8 +20,9 @@ workspace = true
 [target.'cfg(all(target_os = "windows", target_arch = "aarch64"))'.dependencies]
 reqwest = { workspace = true, features = ["native-tls"] }
 
+# If you modify this cfg, make sure you update `ReqwestClientConfig::try_build`.
 [target.'cfg(not(any(all(target_os = "windows", target_arch = "aarch64"), target_arch="wasm32")))'.dependencies]
-reqwest = { workspace = true, features = ["rustls-tls"] }
+reqwest = { workspace = true, features = ["rustls-tls-webpki-roots", "rustls-tls-native-roots"] }
 
 [dependencies]
 anyhow = { workspace = true }

turbopack/crates/turbo-tasks-fetch/Cargo.toml

@@ -26,6 +26,29 @@ pub enum ProxyConfig {
 #[derive(Hash)]
 pub struct ReqwestClientConfig {
     pub proxy: Option<ProxyConfig>,
+    /// Whether to load embedded webpki root certs with rustls. Default is true.
+    ///
+    /// Ignored for:
+    /// - Windows on ARM, which uses `native-tls` instead of `rustls-tls`.
+    /// - Ignored for WASM targets, which use the runtime's TLS implementation.
+    pub tls_built_in_webpki_certs: bool,
+    /// Whether to load native root certs using the `rustls-native-certs` crate. This may make
+    /// reqwest client initialization slower, so it's not used by default.
+    ///
+    /// Ignored for:
+    /// - Windows on ARM, which uses `native-tls` instead of `rustls-tls`.
+    /// - Ignored for WASM targets, which use the runtime's TLS implementation.
+    pub tls_built_in_native_certs: bool,
+}
+
+impl Default for ReqwestClientConfig {
+    fn default() -> Self {
+        Self {
+            proxy: None,
+            tls_built_in_webpki_certs: true,
+            tls_built_in_native_certs: false,
+        }
+    }
 }
 
 impl ReqwestClientConfig {
@@ -40,6 +63,17 @@ impl ReqwestClientConfig {
             }
             None => {}
         };
+
+        // make sure this cfg matches the one in `Cargo.toml`!
+        #[cfg(not(any(
+            all(target_os = "windows", target_arch = "aarch64"),
+            target_arch = "wasm32"
+        )))]
+        let client_builder = client_builder
+            .tls_built_in_root_certs(false)
+            .tls_built_in_webpki_certs(self.tls_built_in_webpki_certs)
+            .tls_built_in_native_certs(self.tls_built_in_native_certs);
+
         client_builder.build()
     }
 }