Add --ca-bundle and AWS_CA_BUNDLE support

Signed-off-by: Yerzhan Mazhkenov <20302932+yerzhan7@users.noreply.github.com>

Author: yerzhan7

Cargo.lock

@@ -11,9 +11,9 @@ resolver = "2"
 
 [workspace.dependencies]
 mountpoint-s3-fs = { version = "0.9.4", path = "./mountpoint-s3-fs" }
-mountpoint-s3-client = { version = "0.20.0", path = "./mountpoint-s3-client" }
-mountpoint-s3-crt = { version = "0.14.0", path = "./mountpoint-s3-crt" }
-mountpoint-s3-crt-sys = { version = "0.16.3", path = "./mountpoint-s3-crt-sys" }
+mountpoint-s3-client = { version = "0.20.1", path = "./mountpoint-s3-client" }
+mountpoint-s3-crt = { version = "0.14.1", path = "./mountpoint-s3-crt" }
+mountpoint-s3-crt-sys = { version = "0.16.4", path = "./mountpoint-s3-crt-sys" }
 mountpoint-s3-fuser = { version = "0.1.1", path = "./mountpoint-s3-fuser", features = ["abi-7-28", "libfuse"] }
 
 [profile.release]

Cargo.toml

@@ -215,6 +215,18 @@ We also support the `AWS_ENDPOINT_URL` environment variable. The endpoint determ
 - Use `AWS_ENDPOINT_URL` if provided.
 - Fallback to automically inferring the endpoint.
 
+### Custom CA trust bundle
+
+To verify HTTPS connections against a private certificate authority, pass a PEM file containing the CA certificate chain with `--ca-bundle`:
+
+```
+mount-s3 amzn-s3-demo-bucket /path/to/mount --ca-bundle /path/to/ca.pem
+```
+
+When set, this bundle is used in place of the operating-system default trust store for all HTTPS connections Mountpoint makes.
+
+Mountpoint also honours the `AWS_CA_BUNDLE` environment variable as a fallback when `--ca-bundle` is not provided.
+
 ### Data encryption
 
 Amazon S3 supports a number of [server-side encryption types](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html). Mountpoint supports reading and writing to buckets that are configured with Amazon S3 managed keys (SSE-S3), with AWS KMS keys (SSE-KMS), or with dual-layer encryption with AWS KMS keys (DSSE-KMS) as the default encryption method. It does not currently support reading objects encrypted with customer-provided keys (SSE-C).

doc/CONFIGURATION.md

@@ -1,5 +1,7 @@
 ## Unreleased
 
+* Add `TlsConfig` type and `S3ClientConfig::tls_config()` builder for configuring a custom CA trust store. ([#1834](https://github.com/awslabs/mountpoint-s3/pull/1834))
+
 ## v0.20.0 (April 28, 2026)
 
 * Add S3 client error covering failures to create S3 Express session. ([#1793](https://github.com/awslabs/mountpoint-s3/pull/1793))

mountpoint-s3-client/CHANGELOG.md

@@ -1,7 +1,7 @@
 [package]
 name = "mountpoint-s3-client"
 # See `/doc/PUBLISHING_CRATES.md` to read how to publish new versions.
-version = "0.20.0"
+version = "0.20.1"
 edition = "2024"
 license = "Apache-2.0"
 repository = "https://github.com/awslabs/mountpoint-s3"
@@ -44,11 +44,18 @@ aws-sdk-s3 = { version = "1.131.0", default-features = false, features = ["behav
 aws-smithy-runtime-api = "1.12.0"
 clap = { version = "4.6.1", features = ["derive"] }
 ctor = "0.10.1"
+http-body-util = "0.1.3"
+hyper = { version = "1.9.0", features = ["server", "http1"] }
+hyper-util = { version = "0.1.20", features = ["tokio"] }
 proptest = "1.11.0"
+rcgen = "0.13.2"
+rustls = "0.23.34"
+rustls-pemfile = "2.2.0"
 rusty-fork = "0.3.1"
 tempfile = "3.27.0"
 test-case = "3.3.1"
-tokio = { version = "1.52.1", features = ["rt", "rt-multi-thread", "macros"] }
+tokio = { version = "1.52.1", features = ["rt", "rt-multi-thread", "macros", "net", "io-util"] }
+tokio-rustls = "0.26.2"
 tracing-subscriber = { version = "0.3.23", features = ["fmt", "env-filter"] }
 
 # HACK: we want our own tests to use the mock client, but don't want to enable it for consumers by

mountpoint-s3-client/Cargo.toml

@@ -73,6 +73,7 @@ pub mod config {
     pub use super::endpoint_config::{AddressingStyle, EndpointConfig, SigningAlgorithm, Uri};
     pub use super::s3_crt_client::{
         CredentialsProvider, CredentialsProviderStaticOptions, EventLoopGroup, S3ClientAuthConfig, S3ClientConfig,
+        TlsConfig, TlsConfigValidationError,
     };
 
     pub use mountpoint_s3_crt::common::allocator::Allocator;