tokio-postgres-rustls-improved
| Crates.io | tokio-postgres-rustls-improved |
| lib.rs | tokio-postgres-rustls-improved |
| version | 0.16.2 |
| created_at | 2025-09-02 08:54:29.816292+00 |
| updated_at | 2025-10-31 21:26:57.597265+00 |
| description | Fork of tokio-postgres-rustls with unsafe code removed, critical channel binding bug fixed, and a full integration test suite (see repo for code coverage reports) |
| homepage | |
| repository | https://github.com/khorsolutions/tokio-postgres-rustls-improved |
| max_upload_size | |
| id | 1820839 |
| size | 80,716 |
(dsykes16)
documentation
README
tokio-postgres-rustls-improved
NOTE: This is a fork; the original tokio-postgres-rustls repo appears to be unmaintained and has known bugs with virtually no test coverage or CI pipeline.
NOTE: Channel binding is not supported with Ed25519 certificates. This appears to be a limitation of Postgres, including Postgres 18.
Improvements over original tokio-postgres-rustls:
0.16.0:
- [
MakeDynamicRustlsConnect] to support dynamic configuration via anyrustls-config-streamprovider (e.g.rustls-spiffe).
0.15.2:
- Support for
ECDSA_WITH_SHA512channel binding (i.e. ECDSA P-521, secp521r1, NIST P-521) NOTE: only supported byaws-lc-rs(default); unsupported withringcrypto provider - Integration test matrix to validate Postgres 13 through 18 with rustc MSRV, stable, and nightly.
0.15.1:
- Removed unsafe code (thanks @conradludgate)
- Fixes SCRAM/SASL channel binding (was non-functional in all cases in original
tokio-postgres-rustls) - Support for
aws-lc-rsinstead ofring(defaults toaws-lc-rs; consistent withrustlsdefaults) - Comprehensive integration test suite that runs with both
ringandaws-lc-rs
This is an integration between the rustls TLS stack and the tokio-postgres asynchronous PostgreSQL client library.
Use this crate directly:
With aws-lc-rs (default for rustls):
cargo add tokio-postgres-rustls-improved
With ring:
cargo add tokio-postgres-rustls-improved --no-default-features --features ring
Have a 3rd-party dependency that relies on the original tokio-postgres-rustls?
Patch in our fork that maintains the original crate name like this:
With aws-lc-rs feature:
[patch.crates-io]
tokio-postgres-rustls = { git = "https://github.com/khorsolutions/tokio-postgres-rustls-patch.git", tag = "aws-lc-rs" }
With ring feature:
[patch.crates-io]
tokio-postgres-rustls = { git = "https://github.com/khorsolutions/tokio-postgres-rustls-patch.git", tag = "ring" }
Example
See tests/integration.rs for actual usage examples, including SASL/SCRAM using Channel Binding.
use tokio_postgres::config::{ChannelBinding, SslMode};
use tokio_postgres_rustls_improved::MakeRustlsConnect;
// Build a [`rustls::RootCertStore`] and client certs
let roots = {
let rs = rustls::RootCertStore::empty();
rs.add(todo!("provide a [`rustls::pki_types::CertificateDer`]"));
rs
};
let client_certs = todo!("provide client cert and any intermediate(s) required to chain back to roots if applicable");
let client_key = todo!("provide private key for client cert");
// Setup a `rustls::ClientConfig` (see Rustls docs for more info)
let tls_config = rustls::ClientConfig::builder()
.with_root_certificates(roots)
.with_client_auth_cert(client_certs, client_key)
.expect("build rustls client config");
// MakeRustlsConnect is provided by this library; it wraps a `rustls::CLientConfig`
let tls = MakeRustlsConnect::new(tls_config);
// Connect as usual with `tokio-postgres`, providing our `MakeRustlsConnect` as the `tls` arg
let mut pg_config = Config::new();
pg_config
.host("localhost")
.port(5432)
.dbname("postgres")
.user("scram_user")
.password("password")
.ssl_mode(SslMode::Require)
.channel_binding(ChannelBinding::Require);
let (client, conn) = pg_config.connect(tls).await.expect("connect");
NOTE: please use proper error handling in production code, this is an excerpt from tests that are expected to panic in a failure
License
tokio-postgres-rustls-improved is distributed under the MIT license