Allow running tokio-postgres with rustls#426
Merged
jxs merged 9 commits intorust-db:mainfrom Apr 27, 2026
Merged
Conversation
When tokio-postgres or postgres features are enabled without the tls feature, config.rs still referenced native_tls and postgres_native_tls crates that are no longer pulled in. Guard those code paths with #[cfg(feature = "tls")] so that no-TLS builds do not require openssl. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Instead of silently falling back to an unencrypted connection when use_tls() is true but the 'tls' feature is disabled, panic with a clear message so the misconfiguration is immediately visible. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a new `tokio-postgres-rustls` feature to refinery/refinery-core that provides TLS for the config-based tokio-postgres connection path using rustls instead of native-tls/openssl. Design: no crypto provider is bundled. Callers must install a global provider (e.g. ring or aws-lc-rs) before running migrations with TLS. System trust roots are loaded via rustls-native-certs. When use_tls() is true but the feature is disabled, a clear panic is raised. Note: tokio-postgres-rustls 0.13 has an unconditional ring dep for certificate fingerprinting (unrelated to the TLS crypto provider). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tomasol
force-pushed
the
pr-rustls-postgres
branch
from
ce4d5a2 to
2a06555
Compare
jxs
requested changes
Apr 23, 2026
Member
jxs
left a comment
jxs
left a comment
There was a problem hiding this comment.
Hi, and thanks for this, overall looks good to me! Can you add a test case for this? I think we have one for the native tls one
tomasol
force-pushed
the
pr-rustls-postgres
branch
from
e1d4b7b to
2d55cf1
Compare
Also make postgres connection string configurable via `POSTGRES_URL` environment variable.
tomasol
force-pushed
the
pr-rustls-postgres
branch
from
2d55cf1 to
70e90e0
Compare
Contributor
Author
sure, I've added a test. |
Contributor
Author
|
Thanks for working on this awesome library! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds
tokio-postgres-rustlsfeature, which in turn addstokio-postgres-rustlsdependency.This makes it possible to use
rustlsinstead ofopensslfor TLS termination. It only works for async connections.Please note: I have added ISC to the list of allowed licenses, as this check was failing.