The migration from synchronous diesel (r2d2 + PgConnection) to
diesel-async (deadpool + AsyncPgConnection) in the "Make the store
async" change inadvertently broke TLS support for the database
connection pool.

The old code used diesel::r2d2::ConnectionManager<PgConnection> which
is backed by libpq (via pq-sys). libpq defaults to sslmode=prefer,
meaning it transparently negotiates TLS with the server when available.

The new code uses diesel_async::AsyncPgConnection::establish() which
internally calls tokio_postgres::connect() with tokio_postgres::NoTls,
meaning TLS is never negotiated regardless of the sslmode parameter in
the connection URL. This breaks connections to any PostgreSQL server
that requires encrypted connections via pg_hba.conf.

Fix this by replacing AsyncPgConnection::establish() with a manual
tokio_postgres::connect() call using postgres-openssl as the TLS
connector (with SslVerifyMode::NONE to match libpq's default prefer
behavior), then constructing the AsyncPgConnection via
try_from_client_and_connection(). This restores the pre-v0.42.0
behavior where connections are encrypted by default.

Note: tokio-postgres does not support sslmode=verify-ca or
sslmode=verify-full in its URL parser — only disable, prefer, and
require are recognized. Certificate verification would require
upstream changes to tokio-postgres.

The openssl and postgres-openssl crates were already dependencies of
graph-store-postgres (used by the notification listener). Only
tokio-postgres was added as a new direct dependency.