Module client_tls 

Client-facing TLS termination.

The proxy can terminate TLS from PostgreSQL clients: it answers the SSLRequest with S, runs a rustls server handshake over the TCP socket, and then speaks the wire protocol over the encrypted stream. Optionally it requires and verifies a client certificate (mTLS).

Backend connections stay plain TcpStream (or use the separate backend TLS in backend::tls); this module is only about the client side.

Enums

ClientStream

A client connection that may or may not be TLS-wrapped. Implements AsyncRead/AsyncWrite by delegating to the active variant, so the whole session loop can be written against one stream type regardless of whether the client negotiated TLS.

Functions

build_tls_acceptor

Build a TlsAcceptor from the proxy’s [tls] config: load the server certificate chain + private key (PEM), and — when require_client_cert is set — a client-certificate verifier rooted at ca_path (mTLS).