rustls > 0.22 panic: "no process-level CryptoProvider available" on Debian 14 (CLI & GUI) #12
Description
Description
When using the Proton VPN CLI or the Proton VPN GUI app on Debian 14 (or any environment with rustls 0.23+), the client panics and fails to establish a connection. Both the CLI and GUI share the python-proton-vpn-local-agent dependency, so this bug breaks the official client entirely on modern distributions.
Before this patch (Crash):
thread 'tokio-runtime-worker' panicked at [...]/rustls-0.23.12/src/crypto/mod.rs:259:14:
no process-level CryptoProvider available -- call CryptoProvider::install_default() before this point
[...]
pyo3_async_runtimes.RustPanic: rust future panicked: unknown error
Error: Connection failed. Try connecting to a different server or check your network settings.
After this patch:
The protonvpn connect (or connecting via the GUI app) establishes the connection successfully without panics.
Cause
In recent rustls versions (0.22+), a process-level CryptoProvider must be explicitly installed or configured before creating a TLS connector if multiple backends are supported or no default is globally applied by the crate features. Debian 14 packages and modern rustls dependencies trigger this panic when local-agent-rs connects to the local agent server.
Manual Workaround
Users facing this issue right now can temporarily work around it by compiling the fixed library from source and replacing the system's broken .so file:
- Clone this repository and apply the fix from PR Install default rustls crypto provider to prevent panic on Debian 14 #13.
- Build the python bindings:
cd local-agent-rs/python-proton-vpn-local-agent cargo build --release - Replace the system library with the newly compiled one:
sudo cp target/release/libpython_proton_vpn_local_agent.so /usr/lib/python3/dist-packages/proton/vpn/local_agent.abi3.so
- Start the CLI (
protonvpn connect) or the GUI app again.
Proposed Solution
We need to explicitly enable the ring feature in tokio-rustls and call tokio_rustls::rustls::crypto::ring::default_provider().install_default(); inside the AgentConnector::connect method before any TLS connector is instantiated.