For public facing sites the rustls-tls-webpki-roots on tungstenite that is enabled when the tls feature is enabled is fine. However, I was working on an internal service and we have our own private CA. That feature does not work as even though I have the rootCA.crt installed on my OS (Ubuntu) the service certificate still was not able to be validated. I finally got it to work by adding

# Cargo.toml
[dependencies]
tungstenite = { version = "*", default-features = false, features = ["rustls-tls-native-roots"] }

to my Cargo.toml. Others can also work around it this way but maybe a feature on ewebsock to enable it might make sense.