all: Install rustls aws_lc_rs as default crypto provider

With alloy 2.0.0 pulling in rustls with aws_lc_rs and object_store
(via reqwest) pulling in rustls with ring, rustls 0.23 refuses to
auto-pick and panics on first TLS use. Install aws_lc_rs explicitly
at each binary/test-harness entry point via a shared helper.

Author: incrypto32

Cargo.lock

@@ -37,6 +37,11 @@ license = "MIT OR Apache-2.0"
 [workspace.dependencies]
 alloy = { version = "2.0.0", features = ["dyn-abi", "json-abi", "full", "arbitrary", "json-rpc", "serde"] }
 alloy-rpc-types = "2.0.0"
+# rustls is pulled in transitively by alloy (aws_lc_rs) and object_store via
+# reqwest (ring). With both providers linked, rustls 0.23 requires an explicit
+# default provider to be installed before any TLS use. We install aws_lc_rs
+# explicitly in each binary/test entry point.
+rustls = { version = "0.23", default-features = false, features = ["aws_lc_rs"] }
 anyhow = "1.0"
 async-graphql = { version = "7.2.1", features = ["chrono"] }
 async-graphql-axum = "7.2.1"

Cargo.toml

@@ -155,6 +155,7 @@ fn generate_completions(completions_opt: CompletionsOpt) -> Result<()> {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    graph::tls::install_default_crypto_provider();
     std::env::set_var("ETHEREUM_REORG_THRESHOLD", "10");
     std::env::set_var("GRAPH_NODE_DISABLE_DEPLOYMENT_HASH_VALIDATION", "true");
     env_logger::init();

gnd/src/main.rs

@@ -27,6 +27,7 @@ chrono = "0.4.44"
 envconfig = { workspace = true }
 Inflector = "0.11.3"
 reqwest = { version = "0.12.23", features = ["json", "stream", "multipart", "gzip", "brotli", "deflate"] }
+rustls = { workspace = true }
 hex = "0.4.3"
 http0 = { version = "0", package = "http" }
 http = "1"

graph/Cargo.toml

@@ -33,6 +33,8 @@ pub mod env;
 
 pub mod ipfs;
 
+pub mod tls;
+
 pub mod abi;
 
 pub mod amp;

graph/src/lib.rs

@@ -0,0 +1,59 @@
+//! Process-wide TLS crypto provider setup.
+//!
+//! # Background
+//!
+//! `rustls` 0.23 requires a "crypto provider" (the backend that implements
+//! AES, SHA, ECDSA, RNG, etc.) to be selected before any TLS connection is
+//! built. When exactly one provider feature is compiled in, `rustls` picks
+//! it automatically. When **multiple** providers are linked, `rustls`
+//! refuses to guess and panics on the first TLS use with:
+//!
+//! > no process-level CryptoProvider available --
+//! > call CryptoProvider::install_default() before this point
+//!
+//! # Why we hit this
+//!
+//! Our dependency graph pulls in two providers:
+//!
+//! - `alloy-transport-ws` (alloy 2.0+) enables `rustls`'s `aws_lc_rs` feature.
+//! - `object_store` (via `reqwest`'s `rustls-tls-native-roots`) enables
+//!   `rustls`'s `ring` feature.
+//!
+//! Cargo features are additive, so `rustls` ends up compiled with **both**
+//! `aws_lc_rs` and `ring`. We can't disable either without forking an
+//! upstream crate, so we resolve the ambiguity by explicitly installing
+//! `aws_lc_rs` as the process-wide default at startup.
+//!
+//! # Where to call this
+//!
+//! This must be called **once per process**, as early as possible, before
+//! any code opens a TLS connection. In practice that means:
+//!
+//! - At the top of every binary's `main()` (`graph-node`, `graphman`, `gnd`).
+//! - From a function that every test harness touches before using TLS
+//!   (we hook into `test-store`'s `build_store()` and `graph-tests`'
+//!   `fixture::stores()`).
+//!
+//! Each Rust binary (including each `cargo test` binary) is a separate
+//! process, so every entry point needs its own call. There is no single
+//! "Rust process startup hook" short of pulling in the `ctor` crate.
+//!
+//! # Safety / idempotency
+//!
+//! `install_default` only succeeds on the first call per process. Subsequent
+//! calls return an error, which we deliberately ignore. This makes the
+//! helper safe to call from many places without coordination.
+
+/// Install `aws_lc_rs` as the process-wide default `rustls` crypto provider.
+///
+/// Idempotent: safe to call multiple times per process. Only the first call
+/// actually installs; later calls are no-ops. Must be called before any
+/// TLS connection is built. See the module docs for why this exists.
+pub fn install_default_crypto_provider() {
+    // If a provider is already installed (by an earlier call, or by another
+    // crate), `install_default` returns Err. That's fine -- as long as some
+    // provider is set, `rustls` will not panic. We deliberately do not
+    // require that `aws_lc_rs` specifically wins, only that a default
+    // exists.
+    let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+}

graph/src/tls.rs

@@ -1132,6 +1132,7 @@ impl Context {
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
+    graph::tls::install_default_crypto_provider();
     // Disable load management for graphman commands
     env::set_var("GRAPH_LOAD_THRESHOLD", "0");
 

node/src/bin/manager.rs

@@ -15,6 +15,7 @@ lazy_static! {
 }
 
 fn main() {
+    graph::tls::install_default_crypto_provider();
     tokio::runtime::Builder::new_multi_thread()
         .enable_all()
         .max_blocking_threads(*MAX_BLOCKING_THREADS)

node/src/main.rs

@@ -619,6 +619,7 @@ pub fn all_shards() -> Vec<Shard> {
 }
 
 fn build_store() -> (Arc<Store>, ConnectionPool, Config, Arc<SubscriptionManager>) {
+    graph::tls::install_default_crypto_provider();
     let mut opt = Opt::default();
     let url = std::env::var_os("THEGRAPH_STORE_POSTGRES_DIESEL_URL").filter(|s| !s.is_empty());
     let file = std::env::var_os("GRAPH_NODE_TEST_CONFIG").filter(|s| !s.is_empty());

store/test-store/src/store.rs

@@ -365,6 +365,7 @@ fn test_logger(test_name: &str) -> Logger {
 
 #[allow(clippy::await_holding_lock)]
 pub async fn stores(test_name: &str, store_config_path: &str) -> Stores {
+    graph::tls::install_default_crypto_provider();
     let _mutex_guard = STORE_MUTEX.lock().unwrap();
 
     let config = {