Update rustls / tls functions.

2025-04-16 07:26:45 +00:00 · 2024-03-13 16:23:49 +00:00 · 2024-03-13 16:23:49 +00:00 · 26cef0b2ca
commit 26cef0b2ca
parent b118ab56be
10 changed files with 236 additions and 85 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -637,6 +637,16 @@ dependencies = [
 "regex",
 ]

+[[package]]
+name = "bcder"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c627747a6774aab38beb35990d88309481378558875a41da1a4b2e373c906ef0"
+dependencies = [
+ "bytes",
+ "smallvec",
+]
+
 [[package]]
 name = "bigdecimal"
 version = "0.4.2"
@ -843,9 +853,9 @@ dependencies = [
 "rsa",
 "rumqttc",
 "rust-embed",
- "rustls",
- "rustls-native-certs",
- "rustls-pemfile",
+ "rustls 0.22.2",
+ "rustls-native-certs 0.7.0",
+ "rustls-pemfile 2.1.1",
 "serde",
 "serde_json",
 "serde_urlencoded",
@ -1032,6 +1042,19 @@ dependencies = [
 "crossbeam-utils",
 ]

+[[package]]
+name = "console"
+version = "0.15.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e1f83fc076bd6dd27517eacdf25fef6c4dfe5f1d7448bafaaf3a26f13b5e4eb"
+dependencies = [
+ "encode_unicode",
+ "lazy_static",
+ "libc",
+ "unicode-width",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "const-oid"
 version = "0.9.5"
@ -1197,7 +1220,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fb84100978c1c7b37f09ed3ce3e5f843af02c2a2c431bae5b19230dad2c1b490"
 dependencies = [
 "async-trait",
- "deadpool-runtime",
+ "deadpool-runtime 0.1.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "num_cpus",
+ "tokio",
+]
+
+[[package]]
+name = "deadpool"
+version = "0.10.0"
+source = "git+http://github.com/brocaar/deadpool.git?branch=update_redis#1697c5e198c72ac85c54613c5fc41aefaed09bee"
+dependencies = [
+ "console",
+ "deadpool-runtime 0.1.3 (git+http://github.com/brocaar/deadpool.git?branch=update_redis)",
 "num_cpus",
 "tokio",
 ]
@ -1205,10 +1239,9 @@ dependencies = [
 [[package]]
 name = "deadpool-redis"
 version = "0.14.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36f2381b0e993d06a1f6d49f486b33bc4004085bf980340fc05726bacc681fff"
+source = "git+http://github.com/brocaar/deadpool.git?branch=update_redis#1697c5e198c72ac85c54613c5fc41aefaed09bee"
 dependencies = [
- "deadpool",
+ "deadpool 0.10.0 (git+http://github.com/brocaar/deadpool.git?branch=update_redis)",
 "redis",
 ]

@ -1217,6 +1250,11 @@ name = "deadpool-runtime"
 version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63dfa964fe2a66f3fde91fc70b267fe193d822c7e603e2a675a49a7f46ad3f49"
+
+[[package]]
+name = "deadpool-runtime"
+version = "0.1.3"
+source = "git+http://github.com/brocaar/deadpool.git?branch=update_redis#1697c5e198c72ac85c54613c5fc41aefaed09bee"
 dependencies = [
 "tokio",
 ]
@ -1289,7 +1327,7 @@ version = "0.4.1"
 source = "git+https://github.com/weiznich/diesel_async.git?rev=017ebe2fb7a2709ab5db92148dea5ce812a35e09#017ebe2fb7a2709ab5db92148dea5ce812a35e09"
 dependencies = [
 "async-trait",
- "deadpool",
+ "deadpool 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "diesel",
 "futures-util",
 "scoped-futures",
@ -1489,6 +1527,12 @@ dependencies = [
 "log",
 ]

+[[package]]
+name = "encode_unicode"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f"
+
 [[package]]
 name = "encoding_rs"
 version = "0.8.33"
@ -1777,8 +1821,8 @@ dependencies = [
 "hyper",
 "hyper-rustls",
 "ring 0.16.20",
- "rustls",
- "rustls-pemfile",
+ "rustls 0.21.10",
+ "rustls-pemfile 1.0.4",
 "serde",
 "serde_json",
 "thiserror",
@ -2101,10 +2145,10 @@ dependencies = [
 "futures-util",
 "http",
 "hyper",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.21.10",
+ "rustls-native-certs 0.6.3",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.24.1",
 ]

 [[package]]
@ -3387,9 +3431,9 @@ dependencies = [

 [[package]]
 name = "redis"
-version = "0.24.0"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c580d9cbbe1d1b479e8d67cf9daf6a62c957e6846048408b80b43ac3f6af84cd"
+checksum = "14c442de91f2a085154b1e1b374d5d5edf5bc49d2ebbfdf47e67edd6c2df568d"
 dependencies = [
 "async-trait",
 "bytes",
@ -3402,15 +3446,15 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "rand",
- "rustls",
- "rustls-native-certs",
- "rustls-pemfile",
- "rustls-webpki",
+ "rustls 0.22.2",
+ "rustls-native-certs 0.7.0",
+ "rustls-pemfile 2.1.1",
+ "rustls-pki-types",
 "ryu",
 "sha1_smol",
- "socket2 0.4.10",
+ "socket2 0.5.5",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.25.0",
 "tokio-util",
 "url",
 ]
@ -3499,15 +3543,15 @@ dependencies = [
 "once_cell",
 "percent-encoding",
 "pin-project-lite",
- "rustls",
- "rustls-native-certs",
- "rustls-pemfile",
+ "rustls 0.21.10",
+ "rustls-native-certs 0.6.3",
+ "rustls-pemfile 1.0.4",
 "serde",
 "serde_json",
 "serde_urlencoded",
 "system-configuration",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.24.1",
 "tower-service",
 "url",
 "wasm-bindgen",
@ -3608,20 +3652,20 @@ dependencies = [

 [[package]]
 name = "rumqttc"
-version = "0.23.0"
+version = "0.24.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d8941c6791801b667d52bfe9ff4fc7c968d4f3f9ae8ae7abdaaa1c966feafc8"
+checksum = "e1568e15fab2d546f940ed3a21f48bbbd1c494c90c99c4481339364a497f94a9"
 dependencies = [
 "bytes",
 "flume 0.11.0",
 "futures-util",
 "log",
- "rustls-native-certs",
- "rustls-pemfile",
- "rustls-webpki",
+ "rustls-native-certs 0.7.0",
+ "rustls-pemfile 2.1.1",
+ "rustls-webpki 0.102.2",
 "thiserror",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.25.0",
 "url",
 ]

@ -3724,10 +3768,24 @@ checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba"
 dependencies = [
 "log",
 "ring 0.17.7",
- "rustls-webpki",
+ "rustls-webpki 0.101.7",
 "sct",
 ]

+[[package]]
+name = "rustls"
+version = "0.22.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41"
+dependencies = [
+ "log",
+ "ring 0.17.7",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.2",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustls-connector"
 version = "0.18.5"
@ -3735,9 +3793,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "25da151615461c7347114b1ad1a7458b4cdebc69cb220cd140cd5cb324b1dd37"
 dependencies = [
 "log",
- "rustls",
- "rustls-native-certs",
- "rustls-webpki",
+ "rustls 0.21.10",
+ "rustls-native-certs 0.6.3",
+ "rustls-webpki 0.101.7",
 ]

 [[package]]
@ -3747,7 +3805,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00"
 dependencies = [
 "openssl-probe",
- "rustls-pemfile",
+ "rustls-pemfile 1.0.4",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f1fb85efa936c42c6d5fc28d2629bb51e4b2f4b8a5211e297d599cc5a093792"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile 2.1.1",
+ "rustls-pki-types",
 "schannel",
 "security-framework",
 ]
@ -3761,6 +3832,22 @@ dependencies = [
 "base64 0.21.5",
 ]

+[[package]]
+name = "rustls-pemfile"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f48172685e6ff52a556baa527774f61fcaa884f59daf3375c62a3f1cd2549dab"
+dependencies = [
+ "base64 0.21.5",
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ede67b28608b4c60685c7d54122d4400d90f62b40caee7700e700380a390fa8"
+
 [[package]]
 name = "rustls-webpki"
 version = "0.101.7"
@ -3771,6 +3858,17 @@ dependencies = [
 "untrusted 0.9.0",
 ]

+[[package]]
+name = "rustls-webpki"
+version = "0.102.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610"
+dependencies = [
+ "ring 0.17.7",
+ "rustls-pki-types",
+ "untrusted 0.9.0",
+]
+
 [[package]]
 name = "rustversion"
 version = "1.0.14"
@ -4274,7 +4372,7 @@ dependencies = [
 "cfg-if",
 "p12",
 "rustls-connector",
- "rustls-pemfile",
+ "rustls-pemfile 1.0.4",
 ]

 [[package]]
@ -4386,9 +4484,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.35.0"
+version = "1.36.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "841d45b238a16291a4e1584e61820b8ae57d696cc5015c459c229ccc6990cc1c"
+checksum = "61285f6515fa018fb2d1e46eb21223fff441ee8db5d0f1435e8ab4f5cdb80931"
 dependencies = [
 "backtrace",
 "bytes",
@ -4462,16 +4560,17 @@ dependencies = [

 [[package]]
 name = "tokio-postgres-rustls"
-version = "0.10.0"
+version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd5831152cb0d3f79ef5523b357319ba154795d64c7078b2daa95a803b54057f"
+checksum = "0ea13f22eda7127c827983bdaf0d7fff9df21c8817bab02815ac277a21143677"
 dependencies = [
 "futures",
- "ring 0.16.20",
- "rustls",
+ "ring 0.17.7",
+ "rustls 0.22.2",
 "tokio",
 "tokio-postgres",
- "tokio-rustls",
+ "tokio-rustls 0.25.0",
+ "x509-certificate",
 ]

 [[package]]
@ -4494,7 +4593,18 @@ version = "0.24.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
 dependencies = [
- "rustls",
+ "rustls 0.21.10",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
+dependencies = [
+ "rustls 0.22.2",
+ "rustls-pki-types",
 "tokio",
 ]

@ -4812,6 +4922,12 @@ dependencies = [
 "tinyvec",
 ]

+[[package]]
+name = "unicode-width"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85"
+
 [[package]]
 name = "unicode-xid"
 version = "0.2.4"
@ -4945,13 +5061,13 @@ dependencies = [
 "mime_guess",
 "percent-encoding",
 "pin-project",
- "rustls-pemfile",
+ "rustls-pemfile 1.0.4",
 "scoped-tls",
 "serde",
 "serde_json",
 "serde_urlencoded",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.24.1",
 "tokio-stream",
 "tokio-util",
 "tower-service",
@ -5259,6 +5375,25 @@ dependencies = [
 "windows-sys 0.48.0",
 ]

+[[package]]
+name = "x509-certificate"
+version = "0.23.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "66534846dec7a11d7c50a74b7cdb208b9a581cad890b7866430d438455847c85"
+dependencies = [
+ "bcder",
+ "bytes",
+ "chrono",
+ "der",
+ "hex",
+ "pem",
+ "ring 0.17.7",
+ "signature",
+ "spki",
+ "thiserror",
+ "zeroize",
+]
+
 [[package]]
 name = "x509-parser"
 version = "0.15.1"
@ -5291,3 +5426,17 @@ name = "zeroize"
 version = "1.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+dependencies = [
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.40",
+]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -20,3 +20,5 @@ diesel = { git = "https://github.com/diesel-rs/diesel.git", rev = "566dcccc6df6a

 # Remove if diesel-async > 0.4.1
 diesel-async = { git = "https://github.com/weiznich/diesel_async.git", rev = "017ebe2fb7a2709ab5db92148dea5ce812a35e09" }
+
+deadpool-redis = { git = "http://github.com/brocaar/deadpool.git", branch = "update_redis" }
--- a/chirpstack-integration/Cargo.toml
+++ b/chirpstack-integration/Cargo.toml
@ -10,7 +10,7 @@

 [dependencies]
  chirpstack_api = { path = "../api/rust", version = "4.7.0-test.3" }
-  redis = { version = "0.24", features = [
+  redis = { version = "0.25", features = [
    "cluster-async",
    "tokio-rustls-comp",
  ] }
--- a/chirpstack-integration/src/lib.rs
+++ b/chirpstack-integration/src/lib.rs
@ -95,7 +95,9 @@ enum RedisClient {
 impl RedisClient {
    async fn get_async_connection(&self) -> Result<RedisConnection> {
        match self {
-            RedisClient::Client(c) => Ok(RedisConnection::Client(c.get_async_connection().await?)),
+            RedisClient::Client(c) => Ok(RedisConnection::Client(
+                c.get_multiplexed_async_connection().await?,
+            )),
            RedisClient::ClusterClient(c) => Ok(RedisConnection::ClusterClient(
                c.get_async_connection().await?,
            )),
@ -104,7 +106,7 @@ impl RedisClient {
 }

 enum RedisConnection {
-    Client(redis::aio::Connection),
+    Client(redis::aio::MultiplexedConnection),
    ClusterClient(redis::cluster_async::ClusterConnection),
 }

--- a/chirpstack/Cargo.toml
+++ b/chirpstack/Cargo.toml
@ -35,9 +35,9 @@ diesel = { version = "2.1", features = [
 diesel_migrations = { version = "2.1" }
 diesel-async = { version = "0.4", features = ["deadpool", "postgres", "async-connection-wrapper"] }
 tokio-postgres = "0.7"
-tokio-postgres-rustls = "0.10.0"
+tokio-postgres-rustls = "0.11"
 bigdecimal = "0.4"
-redis = { version = "0.24", features = [ "tls-rustls", "tokio-rustls-comp"] }
+redis = { version = "0.25.1", features = [ "tls-rustls", "tokio-rustls-comp"] }
 deadpool-redis = { version = "0.14", features = ["cluster"] }

 # Logging
@ -101,16 +101,16 @@ anyhow = "1.0"
 pbkdf2 = { version = "0.12", features = ["simple"] }
 rand_core = { version = "0.6", features = ["std"] }
 jsonwebtoken = "9.2"
-rustls = "0.21"
-rustls-native-certs = "0.6"
-rustls-pemfile = "1.0"
+rustls = "0.22"
+rustls-native-certs = "0.7"
+rustls-pemfile = "2.0"
 rsa = "0.9"
 rcgen = { version = "0.12", features = [ "x509-parser" ] }
 openidconnect = { version = "3.3", features = ["accept-rfc3339-timestamps"] }
 oauth2 = "4.4"

 # MQTT
-rumqttc = { version = "0.23", features = ["url"] }
+rumqttc = { version = "0.24", features = ["url"] }
 hex = "0.4"

 # Codecs
--- a/chirpstack/src/gateway/backend/mqtt.rs
+++ b/chirpstack/src/gateway/backend/mqtt.rs
@ -143,12 +143,10 @@ impl<'a> MqttBackend<'a> {

            let client_conf = if conf.tls_cert.is_empty() && conf.tls_key.is_empty() {
                rustls::ClientConfig::builder()
-                    .with_safe_defaults()
                    .with_root_certificates(root_certs.clone())
                    .with_no_client_auth()
            } else {
                rustls::ClientConfig::builder()
-                    .with_safe_defaults()
                    .with_root_certificates(root_certs.clone())
                    .with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
            };
--- a/chirpstack/src/helpers/tls.rs
+++ b/chirpstack/src/helpers/tls.rs
@ -2,48 +2,52 @@ use std::fs::File;
 use std::io::BufReader;

 use anyhow::{Context, Result};
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};

 // Return root certificates, optionally with the provided ca_file appended.
 pub fn get_root_certs(ca_file: Option<String>) -> Result<rustls::RootCertStore> {
    let mut roots = rustls::RootCertStore::empty();
-    let certs = rustls_native_certs::load_native_certs()?;
-    let certs: Vec<_> = certs.into_iter().map(|cert| cert.0).collect();
-    roots.add_parsable_certificates(&certs);
+    for cert in rustls_native_certs::load_native_certs()? {
+        roots.add(cert)?;
+    }

    if let Some(ca_file) = &ca_file {
        let f = File::open(ca_file).context("Open CA certificate")?;
        let mut reader = BufReader::new(f);
-        let certs = rustls_pemfile::certs(&mut reader)?;
-        for cert in certs
-            .into_iter()
-            .map(rustls::Certificate)
-            .collect::<Vec<_>>()
-        {
-            roots.add(&cert)?;
+        let certs = rustls_pemfile::certs(&mut reader);
+        for cert in certs {
+            if let Ok(cert) = cert {
+                roots.add(cert)?;
+            }
        }
    }

    Ok(roots)
 }

-pub fn load_cert(cert_file: &str) -> Result<Vec<rustls::Certificate>> {
+pub fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
    let f = File::open(cert_file).context("Open TLS certificate")?;
    let mut reader = BufReader::new(f);
-    let certs = rustls_pemfile::certs(&mut reader)?;
-    let certs = certs
-        .into_iter()
-        .map(rustls::Certificate)
-        .collect::<Vec<_>>();
-    Ok(certs)
+    let certs = rustls_pemfile::certs(&mut reader);
+    let mut out = Vec::new();
+    for cert in certs {
+        out.push(cert?.into_owned());
+    }
+    Ok(out)
 }

-pub fn load_key(key_file: &str) -> Result<rustls::PrivateKey> {
+pub fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
    let f = File::open(key_file).context("Open private key")?;
    let mut reader = BufReader::new(f);
-    let mut keys = rustls_pemfile::pkcs8_private_keys(&mut reader)?;
-    match keys.len() {
-        0 => Err(anyhow!("No private key found")),
-        1 => Ok(rustls::PrivateKey(keys.remove(0))),
-        _ => Err(anyhow!("More than one private key found")),
+    let mut keys = rustls_pemfile::pkcs8_private_keys(&mut reader);
+    if let Some(key) = keys.next() {
+        match key {
+            Ok(v) => return Ok(PrivateKeyDer::Pkcs8(v.clone_key())),
+            Err(e) => {
+                return Err(anyhow!("Error parsing private key, error: {}", e));
+            }
+        }
    }
+
+    Err(anyhow!("No private key found"))
 }
--- a/chirpstack/src/integration/mqtt.rs
+++ b/chirpstack/src/integration/mqtt.rs
@ -110,12 +110,10 @@ impl<'a> Integration<'a> {

            let client_conf = if conf.tls_cert.is_empty() && conf.tls_key.is_empty() {
                rustls::ClientConfig::builder()
-                    .with_safe_defaults()
                    .with_root_certificates(root_certs.clone())
                    .with_no_client_auth()
            } else {
                rustls::ClientConfig::builder()
-                    .with_safe_defaults()
                    .with_root_certificates(root_certs.clone())
                    .with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
            };
--- a/chirpstack/src/integration/postgresql/mod.rs
+++ b/chirpstack/src/integration/postgresql/mod.rs
@ -240,7 +240,6 @@ fn pg_establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgCo
        })
        .map_err(|e| ConnectionError::BadConnection(e.to_string()))?;
        let rustls_config = rustls::ClientConfig::builder()
-            .with_safe_defaults()
            .with_root_certificates(root_certs)
            .with_no_client_auth();
        let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config);
--- a/chirpstack/src/storage/mod.rs
+++ b/chirpstack/src/storage/mod.rs
@ -167,7 +167,6 @@ fn pg_establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgCo
        })
        .map_err(|e| ConnectionError::BadConnection(e.to_string()))?;
        let rustls_config = rustls::ClientConfig::builder()
-            .with_safe_defaults()
            .with_root_certificates(root_certs)
            .with_no_client_auth();
        let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config);