Use ring provider

Cargo.lock

@@ -3489,6 +3489,7 @@ dependencies = [
  "hex",
  "log",
  "nix 0.28.0",
+ "rustls",
  "sentry",
  "tokio",
  "toml",

endpoint/Cargo.toml

@@ -13,6 +13,7 @@ clap = "4.5"
 console-subscriber = { version = "0.1.9", optional = true }
 hex = "0.4"
 log = "0.4.19"
+rustls = { version = "0.23.37", features = ["logging"] }
 nix = { version = "0.28.0", features = ["resource"] }
 sentry = { version = "0.46.0", default-features = false, features = ["backtrace", "panic", "reqwest", "rustls", "contexts"] }
 tokio = { version = "1.42", features = ["rt-multi-thread", "signal"] }

endpoint/src/main.rs

@@ -1,4 +1,5 @@
 use log::{debug, error, info, warn, LevelFilter};
+use rustls::crypto::ring;
 use std::net::SocketAddr;
 use std::str::FromStr;
 use std::sync::Arc;
@@ -65,6 +66,10 @@ fn increase_fd_limit() {
 fn increase_fd_limit() {}
 
 fn main() {
+    ring::default_provider()
+        .install_default()
+        .expect("Failed to install ring CryptoProvider");
+
     let args = clap::Command::new("VPN endpoint")
         .args(&[
             // Built-in version parameter handling is deficient in that it

lib/Cargo.toml

@@ -33,7 +33,7 @@ once_cell = "1.18.0"
 prometheus = { version = "0.14", features = ["process"] }
 quiche = { version = "0.24.5", features = ["qlog", "boringssl-boring-crate"] }
 ring = "0.17.12"
-rustls = { version = "0.23.37", features = ["logging"] }
+rustls = { version = "0.23.37", features = ["logging", "ring"] }
 rustls-native-certs = "0.7"
 rustls-pki-types = "1.13.2"
 serde = "1.0.164"
@@ -47,7 +47,7 @@ trusttunnel-deeplink = { path = "../deeplink" }
 
 [dev-dependencies]
 hyper = { version = "0.14.26", features = ["http1", "http2", "client", "server", "runtime", "stream"] }
-rustls = { version = "0.23.37", features = ["logging"] }
+rustls = { version = "0.23.37", features = ["logging", "ring"] }
 tempfile = "3"
 
 [features]

lib/src/cert_verification.rs

@@ -73,13 +73,16 @@ impl CertificateVerifier {
         };
 
         let provider = Arc::new(rustls::crypto::ring::default_provider());
-        let verifier = match WebPkiServerVerifier::builder_with_provider(self.root_store.clone(), provider).build() {
+        let verifier =
-            Ok(v) => v,
+            match WebPkiServerVerifier::builder_with_provider(self.root_store.clone(), provider)
-            Err(e) => {
+                .build()
-                debug!("Failed to build verifier: {}", e);
+            {
-                return false;
+                Ok(v) => v,
-            }
+                Err(e) => {
-        };
+                    debug!("Failed to build verifier: {}", e);
+                    return false;
+                }
+            };
         let end_entity = &certs[0];
         let intermediates: Vec<_> = certs.iter().skip(1).cloned().collect();
         let now = rustls_pki_types::UnixTime::now();