diff --git a/Cargo.lock b/Cargo.lock
index fdb994a..20ad0fc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2246,9 +2246,9 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.10.0"
+version = "1.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87f3e037eac156d1775da914196f0f37741a274155e34a0b7e427c35d2a2ecb9"
+checksum = "18a6dbe30758c9f83eb00cbea4ac95966305f5a7772f3f42ebfc7fc7eddbd8e1"
 
 [[package]]
 name = "opaque-debug"
@@ -4503,9 +4503,11 @@ dependencies = [
  "bytes",
  "delegate",
  "mysql_common",
+ "once_cell",
  "password-hash 0.2.3",
  "rand",
  "rustls",
+ "rustls-native-certs",
  "rustls-pemfile",
  "sha1",
  "thiserror",
@@ -4518,7 +4520,6 @@ dependencies = [
  "warpgate-database-protocols",
  "warpgate-db-entities",
  "webpki",
- "webpki-roots",
 ]
 
 [[package]]
@@ -4653,15 +4654,6 @@ dependencies = [
  "untrusted",
 ]
 
-[[package]]
-name = "webpki-roots"
-version = "0.22.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1c760f0d366a6c24a02ed7816e23e691f5d92291f94d15e836006fd11b04daf"
-dependencies = [
- "webpki",
-]
-
 [[package]]
 name = "wepoll-ffi"
 version = "0.1.2"
diff --git a/warpgate-common/src/config.rs b/warpgate-common/src/config.rs
index 6a03d83..d87ba87 100644
--- a/warpgate-common/src/config.rs
+++ b/warpgate-common/src/config.rs
@@ -106,22 +106,17 @@ pub struct TargetHTTPOptions {
     pub headers: Option<HashMap<String, String>>,
 }
 
-#[derive(Debug, Deserialize, Serialize, Clone, Enum, PartialEq, Eq)]
+#[derive(Debug, Deserialize, Serialize, Clone, Enum, PartialEq, Eq, Default)]
 pub enum TlsMode {
     #[serde(rename = "disabled")]
     Disabled,
     #[serde(rename = "preferred")]
+    #[default]
     Preferred,
     #[serde(rename = "required")]
     Required,
 }
 
-impl Default for TlsMode {
-    fn default() -> Self {
-        TlsMode::Preferred
-    }
-}
-
 #[derive(Debug, Deserialize, Serialize, Clone, Object)]
 pub struct Tls {
     #[serde(default)]
diff --git a/warpgate-protocol-mysql/Cargo.toml b/warpgate-protocol-mysql/Cargo.toml
index 01c5837..86576cb 100644
--- a/warpgate-protocol-mysql/Cargo.toml
+++ b/warpgate-protocol-mysql/Cargo.toml
@@ -25,4 +25,5 @@ rustls-pemfile = "1.0"
 tokio-rustls = "0.23"
 thiserror = "1.0"
 webpki = "0.22"
-webpki-roots = "0.22"
+once_cell = "1.13"
+rustls-native-certs = "0.6"
diff --git a/warpgate-protocol-mysql/src/tls/mod.rs b/warpgate-protocol-mysql/src/tls/mod.rs
index 2f857d3..ecd2b13 100644
--- a/warpgate-protocol-mysql/src/tls/mod.rs
+++ b/warpgate-protocol-mysql/src/tls/mod.rs
@@ -1,5 +1,7 @@
 mod maybe_tls_stream;
 mod rustls_helpers;
+mod rustls_root_certs;
 
 pub use maybe_tls_stream::{MaybeTlsStream, MaybeTlsStreamError, UpgradableStream};
 pub use rustls_helpers::{configure_tls_connector, FromCertificateAndKey, RustlsSetupError};
+pub use rustls_root_certs::ROOT_CERT_STORE;
diff --git a/warpgate-protocol-mysql/src/tls/rustls_helpers.rs b/warpgate-protocol-mysql/src/tls/rustls_helpers.rs
index cb1bb51..3c086b5 100644
--- a/warpgate-protocol-mysql/src/tls/rustls_helpers.rs
+++ b/warpgate-protocol-mysql/src/tls/rustls_helpers.rs
@@ -6,10 +6,12 @@ use rustls::client::{ServerCertVerified, ServerCertVerifier, WebPkiVerifier};
 use rustls::server::{ClientHello, NoClientAuth, ResolvesServerCert};
 use rustls::sign::CertifiedKey;
 use rustls::{
-    Certificate, ClientConfig, Error as TlsError, OwnedTrustAnchor, PrivateKey, RootCertStore,
+    Certificate, ClientConfig, Error as TlsError, PrivateKey,
     ServerConfig, ServerName,
 };
 
+use super::ROOT_CERT_STORE;
+
 #[derive(thiserror::Error, Debug)]
 pub enum RustlsSetupError {
     #[error("rustls")]
@@ -92,14 +94,7 @@ pub async fn configure_tls_connector(
             .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier))
             .with_no_client_auth()
     } else {
-        let mut cert_store = RootCertStore::empty();
-        cert_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
-            OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        }));
+        let mut cert_store = ROOT_CERT_STORE.clone();
 
         if let Some(data) = root_cert {
             let mut cursor = Cursor::new(data);
diff --git a/warpgate-protocol-mysql/src/tls/rustls_root_certs.rs b/warpgate-protocol-mysql/src/tls/rustls_root_certs.rs
new file mode 100644
index 0000000..d9793a0
--- /dev/null
+++ b/warpgate-protocol-mysql/src/tls/rustls_root_certs.rs
@@ -0,0 +1,10 @@
+use once_cell::sync::Lazy;
+use rustls::RootCertStore;
+
+pub static ROOT_CERT_STORE: Lazy<RootCertStore> = Lazy::new(|| {
+    let mut roots = RootCertStore::empty();
+    for cert in rustls_native_certs::load_native_certs().expect("could not load root TLS certificates") {
+        roots.add(&rustls::Certificate(cert.0)).unwrap();
+    }
+    return roots;
+});