diff --git a/CHANGELOG.md b/CHANGELOG.md index 9036a38d09..f41e0a9d82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +[#4045]: https://github.com/launchbadge/sqlx/pull/4045 + ## 0.9.0-alpha.1 - 2025-05-19 Accumulated changes since the beginning of the alpha cycle. Effectively a draft CHANGELOG for the 0.9.0 release. diff --git a/Cargo.lock b/Cargo.lock index 61d2e7d7b6..8010769413 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -763,6 +763,12 @@ dependencies = [ "shlex", ] +[[package]] +name = "cesu8" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c" + [[package]] name = "cexpr" version = "0.6.0" @@ -929,6 +935,16 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75" +[[package]] +name = "combine" +version = "4.6.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd" +dependencies = [ + "bytes", + "memchr", +] + [[package]] name = "compact_str" version = "0.7.1" @@ -2054,6 +2070,28 @@ dependencies = [ "syn 2.0.104", ] +[[package]] +name = "jni" +version = "0.21.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97" +dependencies = [ + "cesu8", + "cfg-if", + "combine", + "jni-sys", + "log", + "thiserror 1.0.69", + "walkdir", + "windows-sys 0.45.0", +] + +[[package]] +name = "jni-sys" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" + [[package]] name = "jobserver" version = "0.1.33" @@ -3151,6 +3189,33 @@ dependencies = [ "zeroize", ] +[[package]] +name = "rustls-platform-verifier" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "be59af91596cac372a6942530653ad0c3a246cdd491aaa9dcaee47f88d67d5a0" +dependencies = [ + "core-foundation 0.10.1", + "core-foundation-sys", + "jni", + "log", + "once_cell", + "rustls", + "rustls-native-certs", + "rustls-platform-verifier-android", + "rustls-webpki", + "security-framework 3.2.0", + "security-framework-sys", + "webpki-root-certs", + "windows-sys 0.59.0", +] + +[[package]] +name = "rustls-platform-verifier-android" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f" + [[package]] name = "rustls-webpki" version = "0.103.3" @@ -3571,7 +3636,7 @@ dependencies = [ "percent-encoding", "rust_decimal", "rustls", - "rustls-native-certs", + "rustls-platform-verifier", "serde", "serde_json", "sha2", @@ -4785,6 +4850,15 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "webpki-root-certs" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4e4ffd8df1c57e87c325000a3d6ef93db75279dc3a231125aac571650f22b12a" +dependencies = [ + "rustls-pki-types", +] + [[package]] name = "webpki-roots" version = "0.26.11" @@ -4915,6 +4989,15 @@ dependencies = [ "windows-link", ] +[[package]] +name = "windows-sys" +version = "0.45.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" +dependencies = [ + "windows-targets 0.42.2", +] + [[package]] name = "windows-sys" version = "0.48.0" @@ -4951,6 +5034,21 @@ dependencies = [ "windows-targets 0.53.2", ] +[[package]] +name = "windows-targets" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" +dependencies = [ + "windows_aarch64_gnullvm 0.42.2", + "windows_aarch64_msvc 0.42.2", + "windows_i686_gnu 0.42.2", + "windows_i686_msvc 0.42.2", + "windows_x86_64_gnu 0.42.2", + "windows_x86_64_gnullvm 0.42.2", + "windows_x86_64_msvc 0.42.2", +] + [[package]] name = "windows-targets" version = "0.48.5" @@ -4998,6 +5096,12 @@ dependencies = [ "windows_x86_64_msvc 0.53.0", ] +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" + [[package]] name = "windows_aarch64_gnullvm" version = "0.48.5" @@ -5016,6 +5120,12 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764" +[[package]] +name = "windows_aarch64_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" + [[package]] name = "windows_aarch64_msvc" version = "0.48.5" @@ -5034,6 +5144,12 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c" +[[package]] +name = "windows_i686_gnu" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" + [[package]] name = "windows_i686_gnu" version = "0.48.5" @@ -5064,6 +5180,12 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11" +[[package]] +name = "windows_i686_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" + [[package]] name = "windows_i686_msvc" version = "0.48.5" @@ -5082,6 +5204,12 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d" +[[package]] +name = "windows_x86_64_gnu" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" + [[package]] name = "windows_x86_64_gnu" version = "0.48.5" @@ -5100,6 +5228,12 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" + [[package]] name = "windows_x86_64_gnullvm" version = "0.48.5" @@ -5118,6 +5252,12 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57" +[[package]] +name = "windows_x86_64_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" + [[package]] name = "windows_x86_64_msvc" version = "0.48.5" diff --git a/Cargo.toml b/Cargo.toml index b24b59cfa0..35a4b9feac 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -102,9 +102,11 @@ runtime-tokio = ["_rt-tokio", "sqlx-core/_rt-tokio", "sqlx-macros?/_rt-tokio"] tls-native-tls = ["sqlx-core/_tls-native-tls", "sqlx-macros?/_tls-native-tls"] tls-rustls = ["tls-rustls-ring"] # For backwards compatibility tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs", "sqlx-macros?/_tls-rustls-aws-lc-rs"] +tls-rustls-aws-lc-rs-platform-verifier = ["sqlx-core/_tls-rustls-aws-lc-rs-platform-verifier", "sqlx-macros?/_tls-rustls-aws-lc-rs-platform-verifier"] tls-rustls-ring = ["tls-rustls-ring-webpki"] # For backwards compatibility tls-rustls-ring-webpki = ["sqlx-core/_tls-rustls-ring-webpki", "sqlx-macros?/_tls-rustls-ring-webpki"] -tls-rustls-ring-native-roots = ["sqlx-core/_tls-rustls-ring-native-roots", "sqlx-macros?/_tls-rustls-ring-native-roots"] +tls-rustls-ring-native-roots = ["tls-rustls-ring-platform-verifier"] # For backwards compatibility +tls-rustls-ring-platform-verifier = ["sqlx-core/_tls-rustls-aws-lc-rs-platform-verifier", "sqlx-macros?/_tls-rustls-aws-lc-rs-platform-verifier"] # No-op feature used by the workflows to compile without TLS enabled. Not meant for general use. tls-none = [] diff --git a/README.md b/README.md index f1e53cdced..8086656b42 100644 --- a/README.md +++ b/README.md @@ -139,9 +139,11 @@ sqlx = { version = "0.8", features = [ "runtime-tokio", "tls-native-tls" ] } # tokio + rustls with ring and WebPKI CA certificates sqlx = { version = "0.8", features = [ "runtime-tokio", "tls-rustls-ring-webpki" ] } # tokio + rustls with ring and platform's native CA certificates -sqlx = { version = "0.8", features = [ "runtime-tokio", "tls-rustls-ring-native-roots" ] } +sqlx = { version = "0.8", features = [ "runtime-tokio", "tls-rustls-ring-platform-verifier" ] } # tokio + rustls with aws-lc-rs sqlx = { version = "0.8", features = [ "runtime-tokio", "tls-rustls-aws-lc-rs" ] } +# tokio + rustls with aws-lc-rs and platform's native CA certificates +sqlx = { version = "0.8", features = [ "runtime-tokio", "tls-rustls-aws-lc-rs-platform-verifier" ] } # async-std (no TLS) sqlx = { version = "0.8", features = [ "runtime-async-std" ] } @@ -150,9 +152,11 @@ sqlx = { version = "0.8", features = [ "runtime-async-std", "tls-native-tls" ] } # async-std + rustls with ring and WebPKI CA certificates sqlx = { version = "0.8", features = [ "runtime-async-std", "tls-rustls-ring-webpki" ] } # async-std + rustls with ring and platform's native CA certificates -sqlx = { version = "0.8", features = [ "runtime-async-std", "tls-rustls-ring-native-roots" ] } +sqlx = { version = "0.8", features = [ "runtime-async-std", "tls-rustls-ring-platform-verifier" ] } # async-std + rustls with aws-lc-rs sqlx = { version = "0.8", features = [ "runtime-async-std", "tls-rustls-aws-lc-rs" ] } +# async-std + rustls with aws-lc-rs and platform's native CA certificates +sqlx = { version = "0.8", features = [ "runtime-async-std", "tls-rustls-aws-lc-rs-platform-verifier" ] } ``` #### Cargo Feature Flags diff --git a/sqlx-cli/Cargo.toml b/sqlx-cli/Cargo.toml index d69048e698..520a6836b9 100644 --- a/sqlx-cli/Cargo.toml +++ b/sqlx-cli/Cargo.toml @@ -58,6 +58,9 @@ default = ["postgres", "sqlite", "mysql", "native-tls", "completions", "sqlx-tom # TLS options rustls = ["sqlx/tls-rustls"] native-tls = ["sqlx/tls-native-tls"] +tls-rustls-aws-lc-rs-platform-verifier = ["sqlx/tls-rustls-aws-lc-rs-platform-verifier"] +tls-rustls-ring-platform-verifier = ["sqlx/tls-rustls-aws-lc-rs-platform-verifier"] + # databases mysql = ["sqlx/mysql"] diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml index 58c5b67e05..9177f498f3 100644 --- a/sqlx-core/Cargo.toml +++ b/sqlx-core/Cargo.toml @@ -29,8 +29,9 @@ _rt-tokio = ["tokio", "tokio-stream"] _tls-native-tls = ["native-tls"] _tls-rustls-aws-lc-rs = ["_tls-rustls", "rustls/aws-lc-rs", "webpki-roots"] +_tls-rustls-aws-lc-rs-platform-verifier = ["_tls-rustls", "rustls/aws-lc-rs", "rustls-platform-verifier"] _tls-rustls-ring-webpki = ["_tls-rustls", "rustls/ring", "webpki-roots"] -_tls-rustls-ring-native-roots = ["_tls-rustls", "rustls/ring", "rustls-native-certs"] +_tls-rustls-ring-platform-verifier = ["_tls-rustls", "rustls/ring", "rustls-platform-verifier"] _tls-rustls = ["rustls"] _tls-none = [] @@ -57,7 +58,7 @@ native-tls = { version = "0.2.10", optional = true } rustls = { version = "0.23.24", default-features = false, features = ["std", "tls12"], optional = true } webpki-roots = { version = "0.26", optional = true } -rustls-native-certs = { version = "0.8.0", optional = true } +rustls-platform-verifier = { version = "0.6", optional = true } # Type Integrations bit-vec = { workspace = true, optional = true } diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs index 1ecbbad519..0c61a3e2be 100644 --- a/sqlx-core/src/net/tls/tls_rustls.rs +++ b/sqlx-core/src/net/tls/tls_rustls.rs @@ -4,16 +4,13 @@ use std::sync::Arc; use std::task::{ready, Context, Poll}; use rustls::{ - client::{ - danger::{ServerCertVerified, ServerCertVerifier}, - WebPkiServerVerifier, - }, + client::danger::{ServerCertVerified, ServerCertVerifier}, crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider}, pki_types::{ pem::{self, PemObject}, CertificateDer, PrivateKeyDer, ServerName, UnixTime, }, - CertificateError, ClientConfig, ClientConnection, Error as TlsError, RootCertStore, + CertificateError, ClientConfig, ClientConnection, Error as TlsError, }; use crate::error::Error; @@ -92,14 +89,17 @@ where S: Socket, { #[cfg(all( - feature = "_tls-rustls-aws-lc-rs", + any( + feature = "_tls-rustls-aws-lc-rs", + feature = "_tls-rustls-aws-lc-rs-platform-verifier" + ), not(feature = "_tls-rustls-ring-webpki"), - not(feature = "_tls-rustls-ring-native-roots") + not(feature = "_tls-rustls-ring-platform-verifier"), ))] let provider = Arc::new(rustls::crypto::aws_lc_rs::default_provider()); #[cfg(any( feature = "_tls-rustls-ring-webpki", - feature = "_tls-rustls-ring-native-roots" + feature = "_tls-rustls-ring-platform-verifier" ))] let provider = Arc::new(rustls::crypto::ring::default_provider()); @@ -136,46 +136,53 @@ where .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier { provider })) .with_no_client_auth() } - } else { - let mut cert_store = import_root_certs(); - - if let Some(ca) = tls_config.root_cert_path { - let data = ca.data().await?; - - for result in CertificateDer::pem_slice_iter(&data) { - let Ok(cert) = result else { - return Err(Error::Tls(format!("Invalid certificate {ca}").into())); - }; + } else if tls_config.accept_invalid_hostnames { + #[cfg(feature = "rustls-platform-verifier")] + let verifier = rustls_platform_verifier::Verifier::new(config.crypto_provider().clone()) + .map(Arc::new) + .map_err(Error::tls)?; + + #[cfg(not(feature = "rustls-platform-verifier"))] + let verifier = rustls::client::WebPkiServerVerifier::builder(Arc::new( + load_root_certs(&tls_config).await?, + )) + .build() + .map_err(Error::tls)?; - cert_store.add(cert).map_err(|err| Error::Tls(err.into()))?; - } + if let Some(user_auth) = user_auth { + config + .dangerous() + .with_custom_certificate_verifier(Arc::new(NoHostnameTlsVerifier { verifier })) + .with_client_auth_cert(user_auth.0, user_auth.1) + .map_err(Error::tls)? + } else { + config + .dangerous() + .with_custom_certificate_verifier(Arc::new(NoHostnameTlsVerifier { verifier })) + .with_no_client_auth() + } + } else { + #[cfg(feature = "rustls-platform-verifier")] + if let Some(user_auth) = user_auth { + rustls_platform_verifier::BuilderVerifierExt::with_platform_verifier(config) + .map_err(Error::tls)? + .with_client_auth_cert(user_auth.0, user_auth.1) + .map_err(Error::tls)? + } else { + rustls_platform_verifier::BuilderVerifierExt::with_platform_verifier(config) + .map_err(Error::tls)? + .with_no_client_auth() } - if tls_config.accept_invalid_hostnames { - let verifier = WebPkiServerVerifier::builder(Arc::new(cert_store)) - .build() - .map_err(|err| Error::Tls(err.into()))?; - - if let Some(user_auth) = user_auth { - config - .dangerous() - .with_custom_certificate_verifier(Arc::new(NoHostnameTlsVerifier { verifier })) - .with_client_auth_cert(user_auth.0, user_auth.1) - .map_err(Error::tls)? - } else { - config - .dangerous() - .with_custom_certificate_verifier(Arc::new(NoHostnameTlsVerifier { verifier })) - .with_no_client_auth() - } - } else if let Some(user_auth) = user_auth { + #[cfg(not(feature = "rustls-platform-verifier"))] + if let Some(user_auth) = user_auth { config - .with_root_certificates(cert_store) + .with_root_certificates(load_root_certs(&tls_config).await?) .with_client_auth_cert(user_auth.0, user_auth.1) .map_err(Error::tls)? } else { config - .with_root_certificates(cert_store) + .with_root_certificates(load_root_certs(&tls_config).await?) .with_no_client_auth() } }; @@ -196,7 +203,7 @@ where fn certs_from_pem(pem: Vec) -> Result>, Error> { CertificateDer::pem_slice_iter(&pem) - .map(|result| result.map_err(|err| Error::Tls(err.into()))) + .map(|result| result.map_err(Error::tls)) .collect() } @@ -208,32 +215,28 @@ fn private_key_from_pem(pem: Vec) -> Result, Error> { } } -#[cfg(all(feature = "webpki-roots", not(feature = "rustls-native-certs")))] -fn import_root_certs() -> RootCertStore { - RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()) -} +#[cfg(all(feature = "webpki-roots", not(feature = "rustls-platform-verifier")))] +async fn load_root_certs(tls_config: &TlsConfig<'_>) -> Result { + let mut cert_store = + rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); + if let Some(ca) = tls_config.root_cert_path { + let data = ca.data().await?; -#[cfg(feature = "rustls-native-certs")] -fn import_root_certs() -> RootCertStore { - let mut root_cert_store = RootCertStore::empty(); + for result in CertificateDer::pem_slice_iter(&data) { + let Ok(cert) = result else { + return Err(Error::tls(format!("Invalid certificate {ca}"))); + }; - let load_results = rustls_native_certs::load_native_certs(); - for e in load_results.errors { - log::warn!("Error loading native certificates: {e:?}"); - } - for cert in load_results.certs { - if let Err(e) = root_cert_store.add(cert) { - log::warn!("rustls failed to parse native certificate: {e:?}"); + cert_store.add(cert).map_err(Error::tls)?; } } - - root_cert_store + Ok(cert_store) } // Not currently used but allows for a "tls-rustls-no-roots" feature. -#[cfg(not(any(feature = "rustls-native-certs", feature = "webpki-roots")))] -fn import_root_certs() -> RootCertStore { - RootCertStore::empty() +#[cfg(not(any(feature = "rustls-platform-verifier", feature = "webpki-roots")))] +async fn load_root_certs() -> Result { + Ok(rustls::RootCertStore::empty()) } #[derive(Debug)] @@ -289,11 +292,14 @@ impl ServerCertVerifier for DummyTlsVerifier { } #[derive(Debug)] -pub struct NoHostnameTlsVerifier { - verifier: Arc, +pub struct NoHostnameTlsVerifier { + verifier: Arc, } -impl ServerCertVerifier for NoHostnameTlsVerifier { +impl ServerCertVerifier for NoHostnameTlsVerifier +where + T: ServerCertVerifier, +{ fn verify_server_cert( &self, end_entity: &CertificateDer<'_>, diff --git a/sqlx-macros-core/Cargo.toml b/sqlx-macros-core/Cargo.toml index 3bcbede6f4..8fb47c91d5 100644 --- a/sqlx-macros-core/Cargo.toml +++ b/sqlx-macros-core/Cargo.toml @@ -19,8 +19,9 @@ _rt-tokio = ["tokio", "sqlx-core/_rt-tokio"] _tls-native-tls = ["sqlx-core/_tls-native-tls"] _tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs"] +_tls-rustls-aws-lc-rs-platform-verifier = ["sqlx-core/_tls-rustls-aws-lc-rs-platform-verifier"] _tls-rustls-ring-webpki = ["sqlx-core/_tls-rustls-ring-webpki"] -_tls-rustls-ring-native-roots = ["sqlx-core/_tls-rustls-ring-native-roots"] +_tls-rustls-ring-platform-verifier = ["sqlx-core/_tls-rustls-aws-lc-rs-platform-verifier"] _sqlite = [] diff --git a/sqlx-macros/Cargo.toml b/sqlx-macros/Cargo.toml index 95954d72ef..17b154d3f4 100644 --- a/sqlx-macros/Cargo.toml +++ b/sqlx-macros/Cargo.toml @@ -22,8 +22,9 @@ _rt-tokio = ["sqlx-macros-core/_rt-tokio"] _tls-native-tls = ["sqlx-macros-core/_tls-native-tls"] _tls-rustls-aws-lc-rs = ["sqlx-macros-core/_tls-rustls-aws-lc-rs"] +_tls-rustls-aws-lc-rs-platform-verifier = ["sqlx-macros-core/_tls-rustls-aws-lc-rs-platform-verifier"] _tls-rustls-ring-webpki = ["sqlx-macros-core/_tls-rustls-ring-webpki"] -_tls-rustls-ring-native-roots = ["sqlx-macros-core/_tls-rustls-ring-native-roots"] +_tls-rustls-ring-platform-verifier = ["sqlx-macros-core/_tls-rustls-aws-lc-rs-platform-verifier"] # SQLx features derive = ["sqlx-macros-core/derive"] diff --git a/sqlx-postgres/src/options/doc.md b/sqlx-postgres/src/options/doc.md index 33dd63b7a8..b67b0d1eb1 100644 --- a/sqlx-postgres/src/options/doc.md +++ b/sqlx-postgres/src/options/doc.md @@ -86,7 +86,8 @@ See `default_host()` in the same source file as this method for the current beha If `sslrootcert` is not set, the default root certificates used depends on Cargo features: * If `tls-native-tls` is enabled, the system root certificates are used. -* If `tls-rustls-ring-native-roots` is enabled, the system root certificates are used. +* If `tls-rustls-ring-platform-verifier` or `tls-rustls-aws-lc-rs-platform-verifier` + is enabled, the system root certificates are used. * Otherwise, TLS roots are populated using the [`webpki-roots`] crate. ## Environment Variables