From d8e0b117cdcf7ce118b20f120795aefe3f73a580 Mon Sep 17 00:00:00 2001
From: Jules Wiriath <jules.wiriath@datadoghq.com>
Date: Tue, 9 Dec 2025 16:59:56 +0100
Subject: [PATCH 1/3] fix(common: connector: rustls): don't always panic if
 rustls CryptoProvider already installed

---
 libdd-common/src/connector/mod.rs | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/libdd-common/src/connector/mod.rs b/libdd-common/src/connector/mod.rs
index c36db81026..e1da9ceba3 100644
--- a/libdd-common/src/connector/mod.rs
+++ b/libdd-common/src/connector/mod.rs
@@ -95,16 +95,19 @@ mod https {
     /// In fips mode we expect someone to have done this already.
     #[cfg(any(not(feature = "fips"), coverage))]
     fn ensure_crypto_provider_initialized() {
-        use std::sync::LazyLock;
-        static INIT_CRYPTO_PROVIDER: LazyLock<()> = LazyLock::new(|| {
+        use std::sync::Once;
+
+        static INIT_CRYPTO_PROVIDER: Once = Once::new();
+
+        INIT_CRYPTO_PROVIDER.call_once(|| {
             #[cfg(unix)]
-            #[allow(clippy::expect_used)]
-            rustls::crypto::aws_lc_rs::default_provider()
-                .install_default()
-                .expect("Failed to install default CryptoProvider");
+            if let Err(_crypto_provider) =
+                rustls::crypto::aws_lc_rs::default_provider().install_default()
+            {
+                // TODO: panic here if the installed crypto_provider does not
+                // correspond to what is expected
+            }
         });
-
-        let _ = &*INIT_CRYPTO_PROVIDER;
     }
 
     // This actually needs to be done by the user somewhere in their own main. This will only

From ff90dbc0bf62a2c014d739edaadfadb4f960d785 Mon Sep 17 00:00:00 2001
From: Jules Wiriath <jules.wiriath@datadoghq.com>
Date: Tue, 9 Dec 2025 17:33:46 +0100
Subject: [PATCH 2/3] feat(common: connector: rustls): good practice seem to
 not validate arbitrarily installed CryptoProvider

---
 libdd-common/src/connector/mod.rs | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/libdd-common/src/connector/mod.rs b/libdd-common/src/connector/mod.rs
index e1da9ceba3..07e5e63846 100644
--- a/libdd-common/src/connector/mod.rs
+++ b/libdd-common/src/connector/mod.rs
@@ -100,13 +100,22 @@ mod https {
         static INIT_CRYPTO_PROVIDER: Once = Once::new();
 
         INIT_CRYPTO_PROVIDER.call_once(|| {
+            // We could validate the current CryptoProvider with arbitrary
+            // checks, but it is not a good practice. Unless we have specific
+            // needs, this seems to be generally unadvised.
+            //
+            // For example:
+            // ```
+            // if let Err(installed_provider) =
+            //     rustls::crypto::aws_lc_rs::default_provider().install_default()
+            // let default = rustls::crypto::aws_lc_rs::default_provider();
+            // assert!(default
+            //     .cipher_suites
+            //     .iter()
+            //     .all(|x| installed_provider.cipher_suites.contains(x)));
+            // ```
             #[cfg(unix)]
-            if let Err(_crypto_provider) =
-                rustls::crypto::aws_lc_rs::default_provider().install_default()
-            {
-                // TODO: panic here if the installed crypto_provider does not
-                // correspond to what is expected
-            }
+            let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
         });
     }
 

From 3444059dae421b41f13f6484a4c4a7d199ed645f Mon Sep 17 00:00:00 2001
From: Jules Wiriath <jules.wiriath@datadoghq.com>
Date: Wed, 10 Dec 2025 11:08:18 +0100
Subject: [PATCH 3/3] fix(common: connector: rustls): removed explanation
 comment

---
 libdd-common/src/connector/mod.rs | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/libdd-common/src/connector/mod.rs b/libdd-common/src/connector/mod.rs
index 07e5e63846..b07e4670f7 100644
--- a/libdd-common/src/connector/mod.rs
+++ b/libdd-common/src/connector/mod.rs
@@ -100,20 +100,6 @@ mod https {
         static INIT_CRYPTO_PROVIDER: Once = Once::new();
 
         INIT_CRYPTO_PROVIDER.call_once(|| {
-            // We could validate the current CryptoProvider with arbitrary
-            // checks, but it is not a good practice. Unless we have specific
-            // needs, this seems to be generally unadvised.
-            //
-            // For example:
-            // ```
-            // if let Err(installed_provider) =
-            //     rustls::crypto::aws_lc_rs::default_provider().install_default()
-            // let default = rustls::crypto::aws_lc_rs::default_provider();
-            // assert!(default
-            //     .cipher_suites
-            //     .iter()
-            //     .all(|x| installed_provider.cipher_suites.contains(x)));
-            // ```
             #[cfg(unix)]
             let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
         });