From 064d649abdfd1742e5fdcc20176a6b415b9c25d3 Mon Sep 17 00:00:00 2001
From: David Uebler <dsu@posteo.org>
Date: Tue, 23 Sep 2025 14:23:01 +0000
Subject: [PATCH] native tls handshake: build TlsConnector in blocking
 threadpool (#4027)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* build TlsConnector in blocking threadpool

The openssl TlsConnector synchronously loads certificates from files.
Loading these files can block for tens of milliseconds.

* Update sqlx-core/src/net/tls/tls_native_tls.rs

---------

Co-authored-by: David Übler <david.uebler@puzzleyou.de>
Co-authored-by: Austin Bonander <austin.bonander@gmail.com>
---
 sqlx-core/src/net/tls/tls_native_tls.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sqlx-core/src/net/tls/tls_native_tls.rs b/sqlx-core/src/net/tls/tls_native_tls.rs
index 1c40b4b01..3423e48f8 100644
--- a/sqlx-core/src/net/tls/tls_native_tls.rs
+++ b/sqlx-core/src/net/tls/tls_native_tls.rs
@@ -4,6 +4,7 @@ use crate::io::ReadBuf;
 use crate::net::tls::util::StdSocket;
 use crate::net::tls::TlsConfig;
 use crate::net::Socket;
+use crate::rt;
 use crate::Error;
 
 use native_tls::{HandshakeError, Identity};
@@ -61,7 +62,11 @@ pub async fn handshake<S: Socket>(
         builder.identity(identity);
     }
 
-    let connector = builder.build().map_err(Error::tls)?;
+    // The openssl TlsConnector synchronously loads certificates from files.
+    // Loading these files can block for tens of milliseconds.
+    let connector = rt::spawn_blocking(move || builder.build())
+        .await
+        .map_err(Error::tls)?;
 
     let mut mid_handshake = match connector.connect(config.hostname, StdSocket::new(socket)) {
         Ok(tls_stream) => return Ok(NativeTlsSocket { stream: tls_stream }),