diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b3c89ed09..7a7d9ce90 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -43,16 +43,18 @@ rust-checks:
   script:
     - rustup show
     - rustup component add rustfmt
-    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license
+    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license cargo-tree
     - cargo fmt -- --check
     - ./maint/check_licenses
     - ./maint/cargo_audit
     - ./maint/cargo_sort
+    - ./maint/check_tree
   cache:
     paths:
       - cargo-audit
       - cargo-sort
       - cargo-license
+      - cargo-tree
 
 rust-latest:
   stage: build
diff --git a/maint/check_tree b/maint/check_tree
new file mode 100755
index 000000000..2f591db96
--- /dev/null
+++ b/maint/check_tree
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Use cargo-tree to check our dependencies for crates which we must
+# not depend on unconditionally.
+
+
+forbid () {
+    local our_crate="$1"
+    local feature="$2"
+    local forbidden="$3"
+    if cargo tree -i "$forbidden" -p "$our_crate" --features "$feature" 2>/dev/null ; then
+        echo "Uh-oh: $forbidden has shown up in $our_crate/$feature."
+	exit 1
+    else
+        echo "Didn't find $forbidden in $our_crate/$feature.  Good."
+    fi
+}
+
+# We can't use these crates in arti/full, since they expose us to the old
+# OpenSSL (3BSD + SSLeay) license.
+forbid arti full ring
+forbid arti full webpki
+
+echo "Everything looks fine."