From 3eec5eb1420357fc723d1e64f2fac675daa7dd5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20=C3=9Cbler?= <david.uebler@puzzleyou.de>
Date: Thu, 18 Sep 2025 08:55:15 +0000
Subject: [PATCH 1/2] build TlsConnector in blocking threadpool

The openssl TlsConnector synchronously loads certificates from files.
Loading these files can block for tens of milliseconds.
---
 sqlx-core/src/net/tls/tls_native_tls.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sqlx-core/src/net/tls/tls_native_tls.rs b/sqlx-core/src/net/tls/tls_native_tls.rs
index 1c40b4b01f..38d366c755 100644
--- a/sqlx-core/src/net/tls/tls_native_tls.rs
+++ b/sqlx-core/src/net/tls/tls_native_tls.rs
@@ -4,6 +4,7 @@ use crate::io::ReadBuf;
 use crate::net::tls::util::StdSocket;
 use crate::net::tls::TlsConfig;
 use crate::net::Socket;
+use crate::rt;
 use crate::Error;
 
 use native_tls::{HandshakeError, Identity};
@@ -61,7 +62,9 @@ pub async fn handshake<S: Socket>(
         builder.identity(identity);
     }
 
-    let connector = builder.build().map_err(Error::tls)?;
+    let connector = rt::spawn_blocking(move || builder.build())
+        .await
+        .map_err(Error::tls)?;
 
     let mut mid_handshake = match connector.connect(config.hostname, StdSocket::new(socket)) {
         Ok(tls_stream) => return Ok(NativeTlsSocket { stream: tls_stream }),

From 976d42a18db7b753d6a469a01d2b6a1b5bc782d3 Mon Sep 17 00:00:00 2001
From: Austin Bonander <austin.bonander@gmail.com>
Date: Fri, 19 Sep 2025 14:45:11 -0700
Subject: [PATCH 2/2] Update sqlx-core/src/net/tls/tls_native_tls.rs

---
 sqlx-core/src/net/tls/tls_native_tls.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sqlx-core/src/net/tls/tls_native_tls.rs b/sqlx-core/src/net/tls/tls_native_tls.rs
index 38d366c755..3423e48f8c 100644
--- a/sqlx-core/src/net/tls/tls_native_tls.rs
+++ b/sqlx-core/src/net/tls/tls_native_tls.rs
@@ -62,6 +62,8 @@ pub async fn handshake<S: Socket>(
         builder.identity(identity);
     }
 
+    // The openssl TlsConnector synchronously loads certificates from files.
+    // Loading these files can block for tens of milliseconds.
     let connector = rt::spawn_blocking(move || builder.build())
         .await
         .map_err(Error::tls)?;