diff --git a/Cargo.lock b/Cargo.lock
index 387c739d92..224bd14398 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -194,7 +194,7 @@ dependencies = [
  "rand 0.8.5",
  "regex",
  "ring",
- "rustls-native-certs",
+ "rustls-native-certs 0.7.3",
  "rustls-pki-types",
  "rustls-webpki 0.102.8",
  "serde",
@@ -958,6 +958,16 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -2858,10 +2868,10 @@ dependencies = [
  "libc",
  "log",
  "openssl",
- "openssl-probe",
+ "openssl-probe 0.1.6",
  "openssl-sys",
  "schannel",
- "security-framework",
+ "security-framework 2.11.1",
  "security-framework-sys",
  "tempfile",
 ]
@@ -3126,6 +3136,12 @@ version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
+[[package]]
+name = "openssl-probe"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
+
 [[package]]
 name = "openssl-sys"
 version = "0.9.109"
@@ -4594,6 +4610,7 @@ dependencies = [
  "rand 0.8.5",
  "rivet-envoy-protocol",
  "rivet-util-serde",
+ "rustls",
  "scc",
  "serde",
  "serde_bare",
@@ -5186,11 +5203,23 @@ version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5"
 dependencies = [
- "openssl-probe",
+ "openssl-probe 0.1.6",
  "rustls-pemfile",
  "rustls-pki-types",
  "schannel",
- "security-framework",
+ "security-framework 2.11.1",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
+dependencies = [
+ "openssl-probe 0.2.1",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework 3.5.1",
 ]
 
 [[package]]
@@ -5376,7 +5405,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
 dependencies = [
  "bitflags",
- "core-foundation",
+ "core-foundation 0.9.4",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework"
+version = "3.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
+dependencies = [
+ "bitflags",
+ "core-foundation 0.10.1",
  "core-foundation-sys",
  "libc",
  "security-framework-sys",
@@ -5994,7 +6036,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
 dependencies = [
  "bitflags",
- "core-foundation",
+ "core-foundation 0.9.4",
  "system-configuration-sys",
 ]
 
@@ -6373,7 +6415,11 @@ checksum = "7a9daff607c6d2bf6c16fd681ccb7eecc83e4e2cdc1ca067ffaadfca5de7f084"
 dependencies = [
  "futures-util",
  "log",
+ "rustls",
+ "rustls-native-certs 0.8.3",
+ "rustls-pki-types",
  "tokio",
+ "tokio-rustls",
  "tungstenite",
 ]
 
@@ -6670,6 +6716,8 @@ dependencies = [
  "httparse",
  "log",
  "rand 0.9.2",
+ "rustls",
+ "rustls-pki-types",
  "sha1",
  "thiserror 2.0.12",
  "utf-8",
diff --git a/Cargo.toml b/Cargo.toml
index 0d51a6f5dc..54ffd8b44f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -135,7 +135,6 @@ members = [
   tokio-cron-scheduler = "0.13.0"
   tokio-native-tls = "0.3.1"
   tokio-stream = "0.1.15"
-  tokio-tungstenite = "0.26.0"
   tokio-util = "0.7"
   tower = "0.5"
   tracing = "0.1.40"
@@ -177,6 +176,10 @@ members = [
     [workspace.dependencies.pest]
     version = "2.7"
 
+    [workspace.dependencies.tokio-tungstenite]
+    version = "0.26.0"
+    features = ["rustls-tls-native-roots"]
+
     [workspace.dependencies.rocksdb]
     version = "0.24"
     features = [ "multi-threaded-cf" ]
@@ -490,9 +493,6 @@ members = [
     package = "rivet-util"
     path = "engine/packages/util"
 
-    [workspace.dependencies.rivet-util-serde]
-    path = "engine/packages/util-serde"
-
     [workspace.dependencies.rivet-util-id]
     path = "engine/packages/util-id"
 
diff --git a/engine/packages/guard/src/routing/pegboard_gateway/resolve_actor_query.rs b/engine/packages/guard/src/routing/pegboard_gateway/resolve_actor_query.rs
index b5b544e869..61b2d3def0 100644
--- a/engine/packages/guard/src/routing/pegboard_gateway/resolve_actor_query.rs
+++ b/engine/packages/guard/src/routing/pegboard_gateway/resolve_actor_query.rs
@@ -221,9 +221,7 @@ fn serialize_actor_key(key: &[String]) -> Result<String> {
 			continue;
 		}
 
-		let escaped = part
-			.replace('\\', "\\\\")
-			.replace(KEY_SEPARATOR, "\\/");
+		let escaped = part.replace('\\', "\\\\").replace(KEY_SEPARATOR, "\\/");
 		escaped_parts.push(escaped);
 	}
 
diff --git a/engine/packages/pegboard-envoy/src/conn.rs b/engine/packages/pegboard-envoy/src/conn.rs
index 2f8f2bdba9..c1b4bef5c9 100644
--- a/engine/packages/pegboard-envoy/src/conn.rs
+++ b/engine/packages/pegboard-envoy/src/conn.rs
@@ -264,7 +264,8 @@ pub async fn handle_init(
 				// Update the pool's protocol version. This is required for serverful pools because normally
 				// the pool's protocol version is updated via the metadata_poller wf but that only runs for
 				// serverless pools.
-				tx.write(
+				let ns_tx = tx.with_subspace(namespace::keys::subspace());
+				ns_tx.write(
 					&pegboard::keys::runner_config::ProtocolVersionKey::new(
 						namespace_id,
 						pool_name.clone(),
diff --git a/engine/packages/pegboard/src/keys/runner_config.rs b/engine/packages/pegboard/src/keys/runner_config.rs
index d3490d9fe9..feccad44b5 100644
--- a/engine/packages/pegboard/src/keys/runner_config.rs
+++ b/engine/packages/pegboard/src/keys/runner_config.rs
@@ -244,9 +244,9 @@ impl TuplePack for ProtocolVersionKey {
 			RUNNER,
 			CONFIG,
 			DATA,
-			PROTOCOL_VERSION,
 			self.namespace_id,
 			&self.name,
+			PROTOCOL_VERSION,
 		);
 		t.pack(w, tuple_depth)
 	}
@@ -254,8 +254,8 @@ impl TuplePack for ProtocolVersionKey {
 
 impl<'de> TupleUnpack<'de> for ProtocolVersionKey {
 	fn unpack(input: &[u8], tuple_depth: TupleDepth) -> PackResult<(&[u8], Self)> {
-		let (input, (_, _, _, _, namespace_id, name)) =
-			<(usize, usize, usize, usize, Id, String)>::unpack(input, tuple_depth)?;
+		let (input, (_, _, _, namespace_id, name, _)) =
+			<(usize, usize, usize, Id, String, usize)>::unpack(input, tuple_depth)?;
 
 		let v = ProtocolVersionKey { namespace_id, name };
 
diff --git a/engine/sdks/rust/envoy-client/Cargo.toml b/engine/sdks/rust/envoy-client/Cargo.toml
index 8f9fde7136..108fa1d6db 100644
--- a/engine/sdks/rust/envoy-client/Cargo.toml
+++ b/engine/sdks/rust/envoy-client/Cargo.toml
@@ -12,6 +12,7 @@ hex.workspace = true
 rand.workspace = true
 rivet-envoy-protocol.workspace = true
 rivet-util-serde.workspace = true
+rustls.workspace = true
 scc.workspace = true
 serde.workspace = true
 serde_bare.workspace = true
diff --git a/engine/sdks/rust/envoy-client/src/connection.rs b/engine/sdks/rust/envoy-client/src/connection.rs
index 2f84f1da27..163c3e34b2 100644
--- a/engine/sdks/rust/envoy-client/src/connection.rs
+++ b/engine/sdks/rust/envoy-client/src/connection.rs
@@ -81,6 +81,12 @@ async fn single_connection(
 		p
 	};
 
+	// Initialize with a default CryptoProvider for rustls
+	let provider = rustls::crypto::ring::default_provider();
+	if provider.install_default().is_err() {
+		tracing::debug!("crypto provider already installed in this process");
+	}
+
 	let request = tungstenite::http::Request::builder()
 		.uri(&url)
 		.header("Sec-WebSocket-Protocol", protocols.join(", "))