rtls: default_tls_config() explicit *ring* choice

As mentioned in the comment, `ureq` wants to use `*ring*` by default for
`default_tls_config()`. We can avoid a risk of a panic here and make
that intention even more specific by using
`rustls::ClientConfig::builder_with_provider()` instead of
`rustls::ClientConfig::builder()` (which requires a clear process wide
default is available, or panics).

CHANGELOG.md

@@ -1,4 +1,8 @@
 # Unreleased
+  * default `ureq` Rustls tls config updated to avoid panic for applications
+    that activate the default Rustls `aws-lc-rs` feature without setting
+    a process-wide crypto provider. `ureq` will now use `*ring*` in this
+    circumstance instead of panicing.
 
 # 2.10.0
   * Bump MSRV 1.61 -> 1.63 due to rustls (#764)

src/rtls.rs

@@ -118,9 +118,18 @@ impl TlsConnector for Arc<rustls::ClientConfig> {
 
 pub fn default_tls_config() -> Arc<dyn TlsConnector> {
     static TLS_CONF: Lazy<Arc<dyn TlsConnector>> = Lazy::new(|| {
-        let config = rustls::ClientConfig::builder()
-            .with_root_certificates(root_certs())
-            .with_no_client_auth();
+        // `ureq` prefers to use `*ring*` by default. It unconditionally activates the Rustls
+        // feature for this backend, so we know `rustls::crypto::ring::default_provider()` is
+        // available. We use `builder_with_provider()` instead of `builder()` here to avoid the
+        // risk that the rustls features are ambiguous and no process wide default crypto provider
+        // has been set yet.
+        let config = rustls::ClientConfig::builder_with_provider(
+            rustls::crypto::ring::default_provider().into(),
+        )
+        .with_protocol_versions(&[&rustls::version::TLS12, &rustls::version::TLS13])
+        .unwrap() // Safety: the *ring* default provider always configures ciphersuites compatible w/ both TLS 1.2 & TLS 1.3
+        .with_root_certificates(root_certs())
+        .with_no_client_auth();
         Arc::new(Arc::new(config))
     });
     TLS_CONF.clone()