From c31038e9c8f05d11d6e5747b8a43ea035b7a9e7d Mon Sep 17 00:00:00 2001
From: curtis lee fulton <curtis@ciphx.com>
Date: Mon, 24 Nov 2025 23:30:35 -0800
Subject: [PATCH 1/4] feat: Support rustls-native-certs as an alternative to
 webpki-roots #960

---
 Cargo.toml                          |  2 ++
 sqlx-core/Cargo.toml                |  2 ++
 sqlx-core/src/net/tls/tls_rustls.rs | 48 +++++++++++++++++++++++++----
 sqlx-macros-core/Cargo.toml         |  2 ++
 sqlx-macros/Cargo.toml              |  2 ++
 5 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 00d5d656c1..e595ab25f5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -105,6 +105,8 @@ tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs", "sqlx-macros?/_tls-ru
 tls-rustls-ring = ["tls-rustls-ring-webpki"] # For backwards compatibility
 tls-rustls-ring-webpki = ["sqlx-core/_tls-rustls-ring-webpki", "sqlx-macros?/_tls-rustls-ring-webpki"]
 tls-rustls-ring-native-roots = ["sqlx-core/_tls-rustls-ring-native-roots", "sqlx-macros?/_tls-rustls-ring-native-roots"]
+tls-rustls-aws-lc-rs-native-roots = ["sqlx-core/_tls-rustls-aws-lc-rs-native-roots", "sqlx-macros?/_tls-rustls-aws-lc-rs-native-roots"]
+tls-rustls-no-provider-native-roots = ["sqlx-core/_tls-rustls-no-provider-native-roots", "sqlx-macros?/_tls-rustls-no-provider-native-roots"]
 
 # No-op feature used by the workflows to compile without TLS enabled. Not meant for general use.
 tls-none = []
diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml
index fff4ef3d24..4c4ccbda15 100644
--- a/sqlx-core/Cargo.toml
+++ b/sqlx-core/Cargo.toml
@@ -31,6 +31,8 @@ _tls-native-tls = ["native-tls"]
 _tls-rustls-aws-lc-rs = ["_tls-rustls", "rustls/aws-lc-rs", "webpki-roots"]
 _tls-rustls-ring-webpki = ["_tls-rustls", "rustls/ring", "webpki-roots"]
 _tls-rustls-ring-native-roots = ["_tls-rustls", "rustls/ring", "rustls-native-certs"]
+_tls-rustls-aws-lc-rs-native-roots = ["_tls-rustls", "rustls/aws-lc-rs", "rustls-native-certs"]
+_tls-rustls-no-provider-native-roots = ["_tls-rustls", "rustls-native-certs"]
 _tls-rustls = ["rustls"]
 _tls-none = []
 
diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
index 1ecbbad519..7ecc28d4fe 100644
--- a/sqlx-core/src/net/tls/tls_rustls.rs
+++ b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -92,17 +92,37 @@ where
     S: Socket,
 {
     #[cfg(all(
-        feature = "_tls-rustls-aws-lc-rs",
+        any(
+            feature = "_tls-rustls-aws-lc-rs",
+            feature = "_tls-rustls-aws-lc-rs-native-roots"
+        ),
         not(feature = "_tls-rustls-ring-webpki"),
-        not(feature = "_tls-rustls-ring-native-roots")
+        not(feature = "_tls-rustls-ring-native-roots"),
+        not(feature = "_tls-rustls-no-provider-native-roots")
     ))]
     let provider = Arc::new(rustls::crypto::aws_lc_rs::default_provider());
-    #[cfg(any(
-        feature = "_tls-rustls-ring-webpki",
-        feature = "_tls-rustls-ring-native-roots"
+    #[cfg(all(
+        any(
+            feature = "_tls-rustls-ring-webpki",
+            feature = "_tls-rustls-ring-native-roots"
+        ),
+        not(feature = "_tls-rustls-aws-lc-rs-native-roots"),
+        not(feature = "_tls-rustls-no-provider-native-roots")
     ))]
     let provider = Arc::new(rustls::crypto::ring::default_provider());
 
+    #[cfg(all(
+        feature = "_tls-rustls-no-provider-native-roots",
+        not(feature = "_tls-rustls-ring-webpki"),
+        not(feature = "_tls-rustls-ring-native-roots"),
+        not(feature = "_tls-rustls-aws-lc-rs"),
+        not(feature = "_tls-rustls-aws-lc-rs-native-roots"),
+    ))]
+    let provider = CryptoProvider::get_default()
+        .ok_or_else(|| Error::Configuration(
+            "no process-level CryptoProvider available -- call CryptoProvider::install_default() before this point".into()
+        ))?.clone();
+
     // Unwrapping is safe here because we use a default provider.
     let config = ClientConfig::builder_with_provider(provider.clone())
         .with_safe_default_protocol_versions()
@@ -137,6 +157,17 @@ where
                 .with_no_client_auth()
         }
     } else {
+        #[cfg(all(
+            not(feature = "_tls-rustls-ring-native-roots"),
+            not(feature = "_tls-rustls-aws-lc-rs-native-roots"),
+            not(feature = "_tls-rustls-no-provider-native-roots")
+        ))]
+        let mut cert_store = import_root_certs();
+        #[cfg(any(
+            feature = "_tls-rustls-ring-native-roots",
+            feature = "_tls-rustls-aws-lc-rs-native-roots",
+            feature = "_tls-rustls-no-provider-native-roots"
+        ))]
         let mut cert_store = import_root_certs();
 
         if let Some(ca) = tls_config.root_cert_path {
@@ -213,7 +244,12 @@ fn import_root_certs() -> RootCertStore {
     RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned())
 }
 
-#[cfg(feature = "rustls-native-certs")]
+#[cfg(any(
+    feature = "rustls-native-certs",
+    feature = "_tls-rustls-ring-native-roots",
+    feature = "_tls-rustls-aws-lc-rs-native-roots",
+    feature = "_tls-rustls-no-provider-native-roots"
+))]
 fn import_root_certs() -> RootCertStore {
     let mut root_cert_store = RootCertStore::empty();
 
diff --git a/sqlx-macros-core/Cargo.toml b/sqlx-macros-core/Cargo.toml
index 8702555086..97182cebf6 100644
--- a/sqlx-macros-core/Cargo.toml
+++ b/sqlx-macros-core/Cargo.toml
@@ -21,6 +21,8 @@ _tls-native-tls = ["sqlx-core/_tls-native-tls"]
 _tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs"]
 _tls-rustls-ring-webpki = ["sqlx-core/_tls-rustls-ring-webpki"]
 _tls-rustls-ring-native-roots = ["sqlx-core/_tls-rustls-ring-native-roots"]
+_tls-rustls-aws-lc-rs-native-roots = ["sqlx-core/_tls-rustls-aws-lc-rs-native-roots"]
+_tls-rustls-no-provider-native-roots = ["sqlx-core/_tls-rustls-no-provider-native-roots"]
 
 _sqlite = []
 
diff --git a/sqlx-macros/Cargo.toml b/sqlx-macros/Cargo.toml
index 95954d72ef..f9a8b20623 100644
--- a/sqlx-macros/Cargo.toml
+++ b/sqlx-macros/Cargo.toml
@@ -24,6 +24,8 @@ _tls-native-tls = ["sqlx-macros-core/_tls-native-tls"]
 _tls-rustls-aws-lc-rs = ["sqlx-macros-core/_tls-rustls-aws-lc-rs"]
 _tls-rustls-ring-webpki = ["sqlx-macros-core/_tls-rustls-ring-webpki"]
 _tls-rustls-ring-native-roots = ["sqlx-macros-core/_tls-rustls-ring-native-roots"]
+_tls-rustls-aws-lc-rs-native-roots = ["sqlx-macros-core/_tls-rustls-aws-lc-rs-native-roots"]
+_tls-rustls-no-provider-native-roots = ["sqlx-macros-core/_tls-rustls-no-provider-native-roots"]
 
 # SQLx features
 derive = ["sqlx-macros-core/derive"]

From 0d83ed2cd9054860e439efe0e8cc67230ede8195 Mon Sep 17 00:00:00 2001
From: curtis lee fulton <curtis@ciphx.com>
Date: Mon, 24 Nov 2025 23:42:24 -0800
Subject: [PATCH 2/4] feat: #960 - default ring --all-features

---
 sqlx-core/src/net/tls/tls_rustls.rs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
index 7ecc28d4fe..99f8403214 100644
--- a/sqlx-core/src/net/tls/tls_rustls.rs
+++ b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -106,8 +106,6 @@ where
             feature = "_tls-rustls-ring-webpki",
             feature = "_tls-rustls-ring-native-roots"
         ),
-        not(feature = "_tls-rustls-aws-lc-rs-native-roots"),
-        not(feature = "_tls-rustls-no-provider-native-roots")
     ))]
     let provider = Arc::new(rustls::crypto::ring::default_provider());
 

From 85cabf9cf0924ba968a1d28421971aa516acd965 Mon Sep 17 00:00:00 2001
From: curtis lee fulton <curtis@ciphx.com>
Date: Mon, 24 Nov 2025 23:51:52 -0800
Subject: [PATCH 3/4] feat: #960 - clippy

---
 sqlx-core/src/net/tls/tls_rustls.rs | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
index 99f8403214..0b00a81400 100644
--- a/sqlx-core/src/net/tls/tls_rustls.rs
+++ b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -101,11 +101,9 @@ where
         not(feature = "_tls-rustls-no-provider-native-roots")
     ))]
     let provider = Arc::new(rustls::crypto::aws_lc_rs::default_provider());
-    #[cfg(all(
-        any(
-            feature = "_tls-rustls-ring-webpki",
-            feature = "_tls-rustls-ring-native-roots"
-        ),
+    #[cfg(any(
+        feature = "_tls-rustls-ring-webpki",
+        feature = "_tls-rustls-ring-native-roots"
     ))]
     let provider = Arc::new(rustls::crypto::ring::default_provider());
 

From 3400c6946728f57d84848527f2b6ec8517c1eeef Mon Sep 17 00:00:00 2001
From: curtis lee fulton <curtis@ciphx.com>
Date: Tue, 25 Nov 2025 00:13:22 -0800
Subject: [PATCH 4/4] feat: #960 - fix merge

---
 sqlx-core/src/net/tls/tls_rustls.rs | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
index 0b00a81400..9fca6ca5ab 100644
--- a/sqlx-core/src/net/tls/tls_rustls.rs
+++ b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -153,17 +153,6 @@ where
                 .with_no_client_auth()
         }
     } else {
-        #[cfg(all(
-            not(feature = "_tls-rustls-ring-native-roots"),
-            not(feature = "_tls-rustls-aws-lc-rs-native-roots"),
-            not(feature = "_tls-rustls-no-provider-native-roots")
-        ))]
-        let mut cert_store = import_root_certs();
-        #[cfg(any(
-            feature = "_tls-rustls-ring-native-roots",
-            feature = "_tls-rustls-aws-lc-rs-native-roots",
-            feature = "_tls-rustls-no-provider-native-roots"
-        ))]
         let mut cert_store = import_root_certs();
 
         if let Some(ca) = tls_config.root_cert_path {
@@ -240,12 +229,7 @@ fn import_root_certs() -> RootCertStore {
     RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned())
 }
 
-#[cfg(any(
-    feature = "rustls-native-certs",
-    feature = "_tls-rustls-ring-native-roots",
-    feature = "_tls-rustls-aws-lc-rs-native-roots",
-    feature = "_tls-rustls-no-provider-native-roots"
-))]
+#[cfg(feature = "rustls-native-certs")]
 fn import_root_certs() -> RootCertStore {
     let mut root_cert_store = RootCertStore::empty();