diff --git a/crates/nocontrol/src/control_plane/backing_store/postgres.rs b/crates/nocontrol/src/control_plane/backing_store/postgres.rs
index be2cd6b..e2a727a 100644
--- a/crates/nocontrol/src/control_plane/backing_store/postgres.rs
+++ b/crates/nocontrol/src/control_plane/backing_store/postgres.rs
@@ -114,7 +114,28 @@ impl<T: Specification> BackingStorePostgres<T> {
                 .context("failed to add root certificate")?;
         }
 
-        let tls_config = rustls::ClientConfig::builder()
+        let provider = rustls::crypto::CryptoProvider::get_default()
+            .cloned()
+            .unwrap_or_else(|| {
+                #[cfg(feature = "postgres-tls-aws-lc-rs")]
+                {
+                    std::sync::Arc::new(rustls::crypto::aws_lc_rs::default_provider())
+                }
+                #[cfg(all(feature = "postgres-tls-ring", not(feature = "postgres-tls-aws-lc-rs")))]
+                {
+                    std::sync::Arc::new(rustls::crypto::ring::default_provider())
+                }
+                #[cfg(not(any(feature = "postgres-tls-ring", feature = "postgres-tls-aws-lc-rs")))]
+                {
+                    compile_error!(
+                        "enable either `postgres-tls-ring` or `postgres-tls-aws-lc-rs` feature"
+                    );
+                }
+            });
+
+        let tls_config = rustls::ClientConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()
+            .context("failed to configure TLS protocol versions")?
             .with_root_certificates(root_store)
             .with_no_client_auth();