all: Install rustls aws_lc_rs as default crypto provider

With alloy 2.0.0 pulling in rustls with aws_lc_rs and object_store
(via reqwest) pulling in rustls with ring, rustls 0.23 refuses to
auto-pick and panics on first TLS use. Install aws_lc_rs explicitly
at each binary/test-harness entry point via a shared helper.

Author: incrypto32

Cargo.lock

@@ -37,6 +37,11 @@ license = "MIT OR Apache-2.0"
 [workspace.dependencies]
 alloy = { version = "2.0.0", features = ["dyn-abi", "json-abi", "full", "arbitrary", "json-rpc", "serde"] }
 alloy-rpc-types = "2.0.0"
+# rustls is pulled in transitively by alloy (aws_lc_rs) and object_store via
+# reqwest (ring). With both providers linked, rustls 0.23 requires an explicit
+# default provider to be installed before any TLS use. We install aws_lc_rs
+# explicitly in each binary/test entry point.
+rustls = { version = "0.23", default-features = false, features = ["aws_lc_rs"] }
 anyhow = "1.0"
 async-graphql = { version = "7.2.1", features = ["chrono"] }
 async-graphql-axum = "7.2.1"

Cargo.toml

@@ -224,6 +224,7 @@ fn run_indexer(args: Vec<OsString>) -> Result<()> {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    graph::tls::install_default_crypto_provider();
     unsafe {
         std::env::set_var("ETHEREUM_REORG_THRESHOLD", "10");
         std::env::set_var("GRAPH_NODE_DISABLE_DEPLOYMENT_HASH_VALIDATION", "true");

gnd/src/main.rs

@@ -27,6 +27,7 @@ chrono = "0.4.44"
 envconfig = { workspace = true }
 Inflector = "0.11.3"
 reqwest = { version = "0.12.23", features = ["json", "stream", "multipart", "gzip", "brotli", "deflate"] }
+rustls = { workspace = true }
 hex = "0.4.3"
 http0 = { version = "0", package = "http" }
 http = "1"

graph/Cargo.toml

@@ -33,6 +33,8 @@ pub mod env;
 
 pub mod ipfs;
 
+pub mod tls;
+
 pub mod abi;
 
 pub mod amp;

graph/src/lib.rs

@@ -0,0 +1,12 @@
+//! Process-wide TLS crypto provider setup.
+//!
+//! Our deps pull in `rustls` with both `aws_lc_rs` (via alloy) and `ring`
+//! (via object_store/reqwest). With multiple providers linked, `rustls`
+//! 0.23 panics on first TLS use unless a default is installed explicitly.
+//! Must be called once per process before any TLS connection is built.
+
+/// Install `aws_lc_rs` as the process-wide default `rustls` crypto provider.
+/// Idempotent: later calls are no-ops.
+pub fn install_default_crypto_provider() {
+    let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+}

graph/src/tls.rs

@@ -1133,6 +1133,7 @@ impl Context {
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
+    graph::tls::install_default_crypto_provider();
     // Disable load management for graphman commands
     unsafe {
         env::set_var("GRAPH_LOAD_THRESHOLD", "0");

node/src/bin/manager.rs

@@ -15,6 +15,7 @@ lazy_static! {
 }
 
 fn main() {
+    graph::tls::install_default_crypto_provider();
     tokio::runtime::Builder::new_multi_thread()
         .enable_all()
         .max_blocking_threads(*MAX_BLOCKING_THREADS)

node/src/main.rs

@@ -619,6 +619,7 @@ pub fn all_shards() -> Vec<Shard> {
 }
 
 fn build_store() -> (Arc<Store>, ConnectionPool, Config, Arc<SubscriptionManager>) {
+    graph::tls::install_default_crypto_provider();
     let mut opt = Opt::default();
     let url = std::env::var_os("THEGRAPH_STORE_POSTGRES_DIESEL_URL").filter(|s| !s.is_empty());
     let file = std::env::var_os("GRAPH_NODE_TEST_CONFIG").filter(|s| !s.is_empty());

store/test-store/src/store.rs

@@ -365,6 +365,7 @@ fn test_logger(test_name: &str) -> Logger {
 
 #[allow(clippy::await_holding_lock)]
 pub async fn stores(test_name: &str, store_config_path: &str) -> Stores {
+    graph::tls::install_default_crypto_provider();
     let _mutex_guard = STORE_MUTEX.lock().unwrap();
 
     let config = {