diff --git a/Cargo.toml b/Cargo.toml
index b583ec1..6ce08cb 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -43,7 +43,7 @@ required-features = ["test-util"]
 debug = true
 
 [features]
-default = ["lz4", "tls"]
+default = ["lz4"]
 
 test-util = ["hyper/server"]
 inserter = ["dep:quanta"]
@@ -51,7 +51,8 @@ watch = ["dep:sha-1", "dep:serde_json", "serde/derive"]
 uuid = ["dep:uuid"]
 time = ["dep:time"]
 lz4 = ["dep:lz4", "dep:clickhouse-rs-cityhash-sys"]
-tls = ["dep:hyper-tls"]
+native-tls = ["dep:hyper-tls"]
+rustls-tls = ["dep:hyper-rustls"]
 
 [dependencies]
 clickhouse-derive = { version = "0.1.1", path = "derive" }
@@ -64,6 +65,7 @@ http-body-util = "0.1.2"
 hyper = "1.4"
 hyper-util = { version = "0.1.6", features = ["client-legacy", "http1"] }
 hyper-tls = { version = "0.6.0", optional = true }
+hyper-rustls = { version = "0.27.2", features = ["webpki-roots"], optional = true }
 url = "2.1.1"
 futures = "0.3.5"
 futures-channel = "0.3.30"
diff --git a/README.md b/README.md
index db2ecec..479fe45 100644
--- a/README.md
+++ b/README.md
@@ -217,13 +217,18 @@ See [examples](https://github.com/loyd/clickhouse.rs/tree/master/examples).
 
 ## Feature Flags
 * `lz4` (enabled by default) — enables `Compression::Lz4` and `Compression::Lz4Hc(_)` variants. If enabled, `Compression::Lz4` is used by default for all queries except for `WATCH`.
-* `tls` (enabled by default) — supports urls with the `HTTPS` schema.
+* `native-tls` — supports urls with the `HTTPS` schema via `hyper-tls`, which links against OpenSSL.
+* `rustls-tls` — supports urls with the `HTTPS` schema via `hyper-rustls`, which does not link against OpenSSL.
 * `inserter` — enables `client.inserter()`.
 * `test-util` — adds mocks. See [the example](https://github.com/loyd/clickhouse.rs/tree/master/examples/mock.rs). Use it only in `dev-dependencies`.
 * `watch` — enables `client.watch` functionality. See the corresponding section for details.
 * `uuid` — adds `serde::uuid` to work with [uuid](https://docs.rs/uuid) crate.
 * `time` — adds `serde::time` to work with [time](https://docs.rs/time) crate.
 
+> **NOTE**:
+> When connecting to ClickHouse via an `HTTPS` url, you must enable either the `native-tls` or `rustls-tls` features.
+> If both are enabled, the `rustls-tls` feature will take precedence.
+
 ## Data Types
 * `(U)Int(8|16|32|64|128)` maps to/from corresponding `(u|i)(8|16|32|64|128)` types or newtypes around them.
 * `(U)Int256` aren't supported directly, but there is [a workaround for it](https://github.com/loyd/clickhouse.rs/issues/48).
diff --git a/src/lib.rs b/src/lib.rs
index f35e33e..02e4a5b 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -69,11 +69,18 @@ impl Default for Client {
         // TODO: make configurable in `Client::builder()`.
         connector.set_keepalive(Some(TCP_KEEPALIVE));
 
-        #[cfg(feature = "tls")]
-        let connector = HttpsConnector::new_with_connector({
-            connector.enforce_http(false);
-            connector
-        });
+        #[cfg(any(feature = "native-tls", feature = "rustls-tls"))]
+        connector.enforce_http(false);
+
+        #[cfg(all(feature = "native-tls", not(feature = "rustls-tls")))]
+        let connector = hyper_tls::HttpsConnector::new_with_connector(connector);
+
+        #[cfg(feature = "rustls-tls")]
+        let connector = hyper_rustls::HttpsConnectorBuilder::new()
+            .with_webpki_roots()
+            .https_or_http()
+            .enable_http1()
+            .wrap_connector(connector);
 
         let client = HyperClient::builder(TokioExecutor::new())
             .pool_idle_timeout(POOL_IDLE_TIMEOUT)