Actually enable the proper rustls features.

[kixelated]

Technically the issue is in hyper_serve, but I'd rather just fix moq-native.

Sep 04 19:54:43 relay-us-central docker[1101]: thread 'tokio-runtime-worker' panicked at /nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/rustls-0.23.31/src/crypto/mod.rs:249:14:
Sep 04 19:54:43 relay-us-central docker[1101]: Could not automatically determine the process-level CryptoProvider from Rustls crate features.
Sep 04 19:54:43 relay-us-central docker[1101]: Call CryptoProvider::install_default() before this point to select a provider manually, or make sure exactly one of the 'aws-lc-rs' and 'ring' features is enabled.
Sep 04 19:54:43 relay-us-central docker[1101]: See the documentation of the CryptoProvider type for more information.
Sep 04 19:54:43 relay-us-central docker[1101]:             
Sep 04 19:54:43 relay-us-central docker[1101]: stack backtrace:
Sep 04 19:54:43 relay-us-central docker[1101]:    0: __rustc::rust_begin_unwind
Sep 04 19:54:43 relay-us-central docker[1101]:    1: core::panicking::panic_fmt
Sep 04 19:54:43 relay-us-central docker[1101]:    2: core::option::expect_failed
Sep 04 19:54:43 relay-us-central docker[1101]:    3: rustls::server::server_conn::ServerConfig::builder_with_protocol_versions
Sep 04 19:54:43 relay-us-central docker[1101]:    4: rustls::server::server_conn::ServerConfig::builder
Sep 04 19:54:43 relay-us-central docker[1101]:    5: hyper_serve::tls_rustls::config_from_der
Sep 04 19:54:43 relay-us-central docker[1101]:    6: hyper_serve::tls_rustls::config_from_pem
Sep 04 19:54:43 relay-us-central docker[1101]:    7: moq_relay::main::{{closure}}::{{closure}}
Sep 04 19:54:43 relay-us-central docker[1101]:    8: tokio::runtime::task::core::Core<T,S>::poll
Sep 04 19:54:43 relay-us-central docker[1101]:    9: tokio::runtime::task::harness::Harness<T,S>::poll
Sep 04 19:54:43 relay-us-central docker[1101]:   10: tokio::runtime::scheduler::multi_thread::worker::Context::run_task
Sep 04 19:54:43 relay-us-central docker[1101]:   11: tokio::runtime::scheduler::multi_thread::worker::Context::run
Sep 04 19:54:43 relay-us-central docker[1101]:   12: tokio::runtime::context::scoped::Scoped<T>::set
Sep 04 19:54:43 relay-us-central docker[1101]:   13: tokio::runtime::context::runtime::enter_runtime
Sep 04 19:54:43 relay-us-central docker[1101]:   14: tokio::runtime::scheduler::multi_thread::worker::run
Sep 04 19:54:43 relay-us-central docker[1101]:   15: <tokio::runtime::blocking::task::BlockingTask<T> as core::future::future::Future>::poll
Sep 04 19:54:43 relay-us-central docker[1101]:   16: tokio::runtime::task::core::Core<T,S>::poll
Sep 04 19:54:43 relay-us-central docker[1101]:   17: tokio::runtime::task::harness::Harness<T,S>::poll
Sep 04 19:54:43 relay-us-central docker[1101]: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Summary by CodeRabbit

• New Features

  • Added optional TLS backend selection for the native module with a default backend enabled.

• Chores

  • Version bump for hang-cli to 0.2.8.
  • Version bump for moq-native to 0.8.1.
  • Version bump for moq-relay to 0.9.1.

[coderabbitai]

Walkthrough

Version bumps for three Rust crates. Added a new features section in rs/moq-native/Cargo.toml to toggle TLS backends with a default.

Changes

Cohort / File(s)	Summary
Crate version bumps rs/hang-cli/Cargo.toml, rs/moq-relay/Cargo.toml	Incremented package versions: hang-cli 0.2.7 → 0.2.8; moq-relay 0.9.0 → 0.9.1. No other manifest changes.
TLS feature flags for moq-native rs/moq-native/Cargo.toml	Bumped version 0.8.0 → 0.8.1. Added [features]: default = ["aws-lc-rs"], aws-lc-rs = ["rustls/aws-lc-rs"], ring = ["rustls/ring"].

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I nudge the crates, hop-hop—new tags in sight,
A flick of features, TLS tucked tight.
aws-lc by day, ring by night,
Versions blink, the burrow feels right.
Thump goes my paw—ship it, delight! 🥕✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tls-feature

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

rs/moq-native/Cargo.toml (1)

21-31: Ensure no residual ring pull-ins under aws-lc-rs
Cargo.toml still defines ring = "0.17" (line 30) and the rustls ring feature (features ring = ["rustls/ring"] at lines 15–17), and deps webpki = "0.22" (line 42) and rcgen = "0.14" (line 28) which transitively pull in ring. Remove or replace webpki/rcgen (e.g., switch to rustls-native-certs or rustls-pki-types) to fully eliminate ring linkage.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1969d5f and 986f518.

⛔ Files ignored due to path filters (1)

• rs/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• rs/hang-cli/Cargo.toml (1 hunks)
• rs/moq-native/Cargo.toml (1 hunks)
• rs/moq-relay/Cargo.toml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

rs/**

📄 CodeRabbit inference engine (CLAUDE.md)

Place Rust crates under the rs/ directory

Files:

• rs/hang-cli/Cargo.toml
• rs/moq-relay/Cargo.toml
• rs/moq-native/Cargo.toml

rs/moq-relay/**

📄 CodeRabbit inference engine (CLAUDE.md)

The CDN/relay (rs/moq-relay) must not include application logic, media codecs, or track details

Files:

• rs/moq-relay/Cargo.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Check

🔇 Additional comments (3)

rs/hang-cli/Cargo.toml (1)

8-8: Patch bump looks correct.

No API surface here; patch bump to 0.2.8 is appropriate.

rs/moq-relay/Cargo.toml (1)

8-8: Patch bump is fine.

No manifest or API changes beyond version; 0.9.1 makes sense.

rs/moq-native/Cargo.toml (1)

8-8: Patch bump to 0.8.1 is appropriate.

Matches feature tweak scope; no semver concerns.

[coderabbitai]

🛠️ Refactor suggestion

Propagate backend choice to rcgen and make backends mutually exclusive at the crate boundary.

Right now the rustls flags are wired, but rcgen defaults to ring and you also depend on ring unconditionally, so aws-lc-rs won’t meaningfully remove ring from the build. Map features through to rcgen and gate ring as optional.

Apply this diff to the features block:

 [features]
-default = ["aws-lc-rs"]
-aws-lc-rs = ["rustls/aws-lc-rs"]
-ring = ["rustls/ring"]
+default = ["aws-lc-rs"]
+# Select exactly one crypto backend for rustls and rcgen.
+aws-lc-rs = ["rustls/aws-lc-rs", "rcgen/aws_lc_rs"]
+ring = ["rustls/ring", "rcgen/ring"]

And update dependencies (outside this hunk) to avoid always pulling ring:

# Replace these in [dependencies]
# - rcgen = "0.14"
# - ring = "0.17"

rcgen = { version = "0.14", default-features = false }
ring = { version = "0.17", optional = true }

Optionally add a compile guard in lib.rs to prevent both features at once:

#[cfg(all(feature = "aws-lc-rs", feature = "ring"))]
compile_error!("Enable only one of: `aws-lc-rs` or `ring`.");

🤖 Prompt for AI Agents

In rs/moq-native/Cargo.toml around lines 14-17, the features need to propagate
the chosen tls backend to rcgen and make ring optional so backends are mutually
exclusive: add feature mappings so rcgen uses the same backend feature (e.g.,
aws-lc-rs = ["rustls/aws-lc-rs", "rcgen/aws-lc-rs"] and ring = ["rustls/ring",
"rcgen/ring"]) and mark ring as a crate-level mutually exclusive backend (remove
unconditional ring dependency). Also update the [dependencies] section (outside
this hunk) to set rcgen = { version = "0.14", default-features = false } and
ring = { version = "0.17", optional = true }, and add an optional compile-time
guard in lib.rs to error if both features are enabled simultaneously.