[rust] Switch reqwest TLS backend from aws-lc-rs to ring (#17589)

* [rust] Switch reqwest TLS from aws-lc-rs to ring crypto backend

The default reqwest `rustls` feature pulls in aws-lc-rs → aws-lc-sys, a C
library that requires compiler-rt builtins and system frameworks (e.g.
CoreServices on macOS) that are not available in the hermetic LLVM sysroot.
The `ring` crate is pure Rust + lightweight C with no external system library
dependencies, making it compatible with hermetic build toolchains.

Changes:
- reqwest: switch feature from `rustls` to `rustls-no-provider`, which wires
  up the full rustls stack (including rustls-platform-verifier for cert
  verification) but does not force any crypto backend.
- Add direct `rustls` dependency with `ring` feature so ring is the only
  crypto provider compiled into the binary.
- Install ring as the process-default TLS provider at the start of main()
  (required when using `rustls-no-provider`; rustls 0.23 needs an explicit
  provider before ClientConfig::builder() is called).
- Cargo.lock: aws-lc-rs and aws-lc-sys are removed; ring and its lightweight
  deps remain.

* [rust] Install ring TLS provider in create_http_client, not main

Installing the provider only in main() meant unit tests (which never
call main) would panic when creating an HTTP client. Moving the install
into create_http_client — the single entry point for all reqwest Client
construction — ensures the provider is present in every code path
including tests. install_default() returns Err if already installed,
so the let _ = pattern makes repeated calls safe.

Author: AutomatedTester