Merge pull request #601 from tnull/2025-08-fix-rustls-crypto-provider-main

tnull · web-flow · commit 3de8b1d54583 · 2025-08-14T15:56:26.000+02:00
Ensure we always startup with a `rustls` `CryptoProvider` (main)
diff --git a/Cargo.toml b/Cargo.toml
@@ -67,6 +67,7 @@ bdk_electrum = { version = "0.23.0", default-features = false, features = ["use-
 bdk_wallet = { version = "2.0.0", default-features = false, features = ["std", "keys-bip39"]}
 
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
+rustls = { version = "0.23", default-features = false }
 rusqlite = { version = "0.31.0", features = ["bundled"] }
 bitcoin = "0.32.4"
 bip39 = "2.0.0"
diff --git a/src/builder.rs b/src/builder.rs
@@ -75,7 +75,7 @@ use std::fmt;
 use std::fs;
 use std::path::PathBuf;
 use std::sync::atomic::AtomicBool;
-use std::sync::{Arc, Mutex, RwLock};
+use std::sync::{Arc, Mutex, Once, RwLock};
 use std::time::SystemTime;
 use vss_client::headers::{FixedHeaders, LnurlAuthToJwtProvider, VssHeaderProvider};
 
@@ -1051,6 +1051,8 @@ fn build_with_store_internal(
 	liquidity_source_config: Option<&LiquiditySourceConfig>, seed_bytes: [u8; 64],
 	logger: Arc<Logger>, kv_store: Arc<DynStore>,
 ) -> Result<Node, BuildError> {
+	optionally_install_rustls_cryptoprovider();
+
 	if let Err(err) = may_announce_channel(&config) {
 		if config.announcement_addresses.is_some() {
 			log_error!(logger, "Announcement addresses were set but some required configuration options for node announcement are missing: {}", err);
@@ -1663,6 +1665,25 @@ fn build_with_store_internal(
 	})
 }
 
+fn optionally_install_rustls_cryptoprovider() {
+	// Acquire a global Mutex, ensuring that only one process at a time install the provider. This
+	// is mostly required for running tests concurrently.
+	static INIT_CRYPTO: Once = Once::new();
+
+	INIT_CRYPTO.call_once(|| {
+		// Ensure we always install a `CryptoProvider` for `rustls` if it was somehow not previously installed by now.
+		if rustls::crypto::CryptoProvider::get_default().is_none() {
+			let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+		}
+
+		// Refuse to startup without TLS support. Better to catch it now than even later at runtime.
+		assert!(
+			rustls::crypto::CryptoProvider::get_default().is_some(),
+			"We need to have a CryptoProvider"
+		);
+	});
+}
+
 /// Sets up the node logger.
 fn setup_logger(
 	log_writer_config: &Option<LogWriterConfig>, config: &Config,
