Split codebase (#455)

crates/yaak-http/src/client.rs

@@ -31,6 +31,56 @@ impl ConfiguredClient {
     }
 }
 
+/// Build a native-tls connector for maximum compatibility when certificate
+/// validation is disabled. Unlike rustls, native-tls uses the OS TLS stack
+/// (Secure Transport on macOS, SChannel on Windows, OpenSSL on Linux) which
+/// supports TLS 1.0+ for legacy servers.
+fn build_native_tls_connector(
+    client_cert: Option<ClientCertificateConfig>,
+) -> Result<native_tls::TlsConnector> {
+    let mut builder = native_tls::TlsConnector::builder();
+    builder.danger_accept_invalid_certs(true);
+    builder.danger_accept_invalid_hostnames(true);
+    builder.min_protocol_version(Some(native_tls::Protocol::Tlsv10));
+
+    if let Some(identity) = build_native_tls_identity(client_cert)? {
+        builder.identity(identity);
+    }
+
+    Ok(builder.build()?)
+}
+
+fn build_native_tls_identity(
+    client_cert: Option<ClientCertificateConfig>,
+) -> Result<Option<native_tls::Identity>> {
+    let config = match client_cert {
+        None => return Ok(None),
+        Some(c) => c,
+    };
+
+    // Try PFX/PKCS12 first
+    if let Some(pfx_path) = &config.pfx_file {
+        if !pfx_path.is_empty() {
+            let pfx_data = std::fs::read(pfx_path)?;
+            let password = config.passphrase.as_deref().unwrap_or("");
+            let identity = native_tls::Identity::from_pkcs12(&pfx_data, password)?;
+            return Ok(Some(identity));
+        }
+    }
+
+    // Try CRT + KEY files
+    if let (Some(crt_path), Some(key_path)) = (&config.crt_file, &config.key_file) {
+        if !crt_path.is_empty() && !key_path.is_empty() {
+            let crt_data = std::fs::read(crt_path)?;
+            let key_data = std::fs::read(key_path)?;
+            let identity = native_tls::Identity::from_pkcs8(&crt_data, &key_data)?;
+            return Ok(Some(identity));
+        }
+    }
+
+    Ok(None)
+}
+
 #[derive(Clone)]
 pub struct HttpConnectionProxySettingAuth {
     pub user: String,
@@ -76,10 +126,16 @@ impl HttpConnectionOptions {
             // This is needed so we can emit DNS timing events for each request
             .pool_max_idle_per_host(0);
 
-        // Configure TLS with optional client certificate
-        let config =
-            get_tls_config(self.validate_certificates, true, self.client_certificate.clone())?;
-        client = client.use_preconfigured_tls(config);
+        // Configure TLS
+        if self.validate_certificates {
+            // Use rustls with platform certificate verification (TLS 1.2+ only)
+            let config = get_tls_config(true, true, self.client_certificate.clone())?;
+            client = client.use_preconfigured_tls(config);
+        } else {
+            // Use native TLS for maximum compatibility (supports TLS 1.0+)
+            let connector = build_native_tls_connector(self.client_certificate.clone())?;
+            client = client.use_preconfigured_tls(connector);
+        }
 
         // Configure DNS resolver - keep a reference to configure per-request
         let resolver = LocalhostResolver::new(self.dns_overrides.clone());

crates/yaak-http/src/error.rs

@@ -9,6 +9,12 @@ pub enum Error {
     #[error(transparent)]
     TlsError(#[from] yaak_tls::error::Error),
 
+    #[error("Native TLS error: {0}")]
+    NativeTlsError(#[from] native_tls::Error),
+
+    #[error("IO error: {0}")]
+    IoError(#[from] std::io::Error),
+
     #[error("Request failed with {0:?}")]
     RequestError(String),