From 0fa68b2d810b582bfdd26d2927de8c9b1e0fa301 Mon Sep 17 00:00:00 2001
From: Sebastian Jeltsch <sebastian@trailbase.io>
Date: Thu, 7 May 2026 09:28:03 +0200
Subject: [PATCH] Minor: explicitly initialize TLS provider in custom binary
 example to model best-practices.

---
 Cargo.lock                         | 1 +
 crates/core/src/server/mod.rs      | 9 +++++++--
 examples/custom-binary/Cargo.toml  | 1 +
 examples/custom-binary/src/main.rs | 7 +++++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0add3c79..a6e54afc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1654,6 +1654,7 @@ dependencies = [
  "axum",
  "env_logger",
  "tokio",
+ "tokio-rustls",
  "trailbase",
 ]
 
diff --git a/crates/core/src/server/mod.rs b/crates/core/src/server/mod.rs
index 8cd0065b..e09d6502 100644
--- a/crates/core/src/server/mod.rs
+++ b/crates/core/src/server/mod.rs
@@ -694,9 +694,14 @@ pub async fn serve(
 ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
   // Make sure TLS provider is installed (both for incoming and outgoing traffic, including traffic
   // from WASM components).
-  if tokio_rustls::rustls::crypto::CryptoProvider::get_default().is_none() {
+  use tokio_rustls::rustls::crypto;
+  if crypto::CryptoProvider::get_default().is_none() {
     info!("No process-wide TLS provider found. Falling back to `aws_lc_rs`.");
-    let _ = tokio_rustls::rustls::crypto::aws_lc_rs::default_provider().install_default();
+    if let Err(_provider) = crypto::aws_lc_rs::default_provider().install_default() {
+      // QUESTION: Should this be a panic or is this still acceptable for users who don't
+      // need TLS (neither to serve nor for WASM components).
+      error!("Installing fallback TLS provider failed.");
+    }
   }
 
   let has_tls = tls.is_some();
diff --git a/examples/custom-binary/Cargo.toml b/examples/custom-binary/Cargo.toml
index b618aa66..332933c3 100644
--- a/examples/custom-binary/Cargo.toml
+++ b/examples/custom-binary/Cargo.toml
@@ -8,4 +8,5 @@ publish = false
 axum = "^0.8.1"
 env_logger = { workspace = true }
 tokio = { workspace = true }
+tokio-rustls = { workspace = true }
 trailbase = { workspace = true }
diff --git a/examples/custom-binary/src/main.rs b/examples/custom-binary/src/main.rs
index e9e84655..c14df205 100644
--- a/examples/custom-binary/src/main.rs
+++ b/examples/custom-binary/src/main.rs
@@ -31,6 +31,13 @@ async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
       .default_filter_or("info,trailbase_refinery=warn,tracing::span=warn,swc_ecma_codegen=off"),
   );
 
+  // Install the process-wide rustls crypto provider. Since rustls 0.23.39 there is no more
+  // implicit default. W/o this any TLS traffic incoming and outgoing (e.g. via WASM components)
+  // would panic.
+  tokio_rustls::rustls::crypto::aws_lc_rs::default_provider()
+    .install_default()
+    .expect("Failed to install rustls crypto");
+
   let Server {
     state,
     main_router,