diff --git a/core/http/Cargo.toml b/core/http/Cargo.toml
index 5ad3bfd4..3e954245 100644
--- a/core/http/Cargo.toml
+++ b/core/http/Cargo.toml
@@ -30,8 +30,8 @@ percent-encoding = "2"
 http = "0.2"
 time = { version = "0.3", features = ["formatting", "macros"] }
 indexmap = { version = "1.5.2", features = ["std"] }
-rustls = { version = "0.20", optional = true }
-tokio-rustls = { version = "0.23.4", optional = true }
+rustls = { version = "0.21", optional = true }
+tokio-rustls = { version = "0.24", optional = true }
 rustls-pemfile = { version = "1.0.2", optional = true }
 tokio = { version = "1.6.1", features = ["net", "sync", "time"] }
 log = "0.4"
diff --git a/core/http/src/tls/listener.rs b/core/http/src/tls/listener.rs
index 1dbd6769..f8263c6f 100644
--- a/core/http/src/tls/listener.rs
+++ b/core/http/src/tls/listener.rs
@@ -86,11 +86,11 @@ impl TlsListener {
 
         let client_auth = match c.ca_certs {
             Some(ref mut ca_certs) => match load_ca_certs(ca_certs) {
-                Ok(ca_roots) if c.mandatory_mtls => AllowAnyAuthenticatedClient::new(ca_roots),
-                Ok(ca_roots) => AllowAnyAnonymousOrAuthenticatedClient::new(ca_roots),
+                Ok(ca) if c.mandatory_mtls => AllowAnyAuthenticatedClient::new(ca).boxed(),
+                Ok(ca) => AllowAnyAnonymousOrAuthenticatedClient::new(ca).boxed(),
                 Err(e) => return Err(io::Error::new(e.kind(), format!("bad CA cert(s): {}", e))),
             },
-            None => NoClientAuth::new(),
+            None => NoClientAuth::boxed(),
         };
 
         let mut tls_config = ServerConfig::builder()