From a9e0d7b8ea705d6ba0dc90e0ca3b3a3c8652c7f5 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Fri, 22 May 2026 17:06:22 +0200
Subject: [PATCH 01/30] feat(fetch_tls): add new TLS abstraction crate

Introduce the etch_tls crate providing a unified TLS configuration API with pluggable backends for rustls and native-tls. Includes client identity handling, connection options, and test utilities.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .spelling                               |   9 +
 CHANGELOG.md                            |   1 +
 Cargo.lock                              |  37 +++
 Cargo.toml                              |   4 +
 crates/fetch_tls/CHANGELOG.md           |   1 +
 crates/fetch_tls/Cargo.toml             |  52 ++++
 crates/fetch_tls/README.md              |  52 ++++
 crates/fetch_tls/favicon.ico            |   3 +
 crates/fetch_tls/logo.png               |   3 +
 crates/fetch_tls/src/backend.rs         | 122 ++++++++
 crates/fetch_tls/src/client_identity.rs | 256 +++++++++++++++
 crates/fetch_tls/src/lib.rs             |  47 +++
 crates/fetch_tls/src/native_tls.rs      | 177 +++++++++++
 crates/fetch_tls/src/options.rs         | 334 ++++++++++++++++++++
 crates/fetch_tls/src/rustls.rs          | 393 ++++++++++++++++++++++++
 crates/fetch_tls/src/testing.rs         |  80 +++++
 16 files changed, 1571 insertions(+)
 create mode 100644 crates/fetch_tls/CHANGELOG.md
 create mode 100644 crates/fetch_tls/Cargo.toml
 create mode 100644 crates/fetch_tls/README.md
 create mode 100644 crates/fetch_tls/favicon.ico
 create mode 100644 crates/fetch_tls/logo.png
 create mode 100644 crates/fetch_tls/src/backend.rs
 create mode 100644 crates/fetch_tls/src/client_identity.rs
 create mode 100644 crates/fetch_tls/src/lib.rs
 create mode 100644 crates/fetch_tls/src/native_tls.rs
 create mode 100644 crates/fetch_tls/src/options.rs
 create mode 100644 crates/fetch_tls/src/rustls.rs
 create mode 100644 crates/fetch_tls/src/testing.rs

diff --git a/.spelling b/.spelling
index ea386895d..5945ad724 100644
--- a/.spelling
+++ b/.spelling
@@ -556,3 +556,12 @@ addressability
 bumpable
 dereferenceable
 NonNull
+crypto
+DER
+macOS
+PEM
+rustls
+TLS
+verifier
+Verifier
+backend's
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 57c3b358f..08c54da40 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ Please see each crate's change log below:
 - [`data_privacy_macros`](./crates/data_privacy_macros/CHANGELOG.md)
 - [`data_privacy_macros_impl`](./crates/data_privacy_macros_impl/CHANGELOG.md)
 - [`fetch_hyper`](./crates/fetch_hyper/CHANGELOG.md)
+- [`fetch_tls`](./crates/fetch_tls/CHANGELOG.md)
 - [`fundle`](./crates/fundle/CHANGELOG.md)
 - [`fundle_macros`](./crates/fundle_macros/CHANGELOG.md)
 - [`fundle_macros_impl`](./crates/fundle_macros_impl/CHANGELOG.md)
diff --git a/Cargo.lock b/Cargo.lock
index 438dd32ff..f54f1c578 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -676,6 +676,18 @@ dependencies = [
  "crossbeam-utils",
 ]
 
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "const-oid"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6ef517f0926dd24a1582492c791b6a4818a4d94e789a334894aa15b0d12f55c"
+
 [[package]]
 name = "convert_case"
 version = "0.10.0"
@@ -1525,6 +1537,15 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
+[[package]]
+name = "hybrid-array"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9155a582abd142abc056962c29e3ce5ff2ad5469f4246b537ed42c5deba857da"
+dependencies = [
+ "typenum",
+]
+
 [[package]]
 name = "hyper"
 version = "1.9.0"
@@ -3076,6 +3097,16 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der 0.7.10",
+]
+
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.1"
@@ -3604,6 +3635,12 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bc7d623258602320d5c55d1bc22793b57daff0ec7efc270ea7d55ce1d5f5471c"
 
+[[package]]
+name = "typenum"
+version = "1.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.24"
diff --git a/Cargo.toml b/Cargo.toml
index 182f1f13a..3a5ccb40b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -34,6 +34,7 @@ data_privacy = { path = "crates/data_privacy", default-features = false, version
 data_privacy_macros = { path = "crates/data_privacy_macros", default-features = false, version = "0.9.0" }
 data_privacy_macros_impl = { path = "crates/data_privacy_macros_impl", default-features = false, version = "0.9.0" }
 fetch_hyper = { path = "crates/fetch_hyper", default-features = false, version = "0.1.1" }
+fetch_tls = { path = "crates/fetch_tls", default-features = false, version = "0.1.0" }
 fundle = { path = "crates/fundle", default-features = false, version = "0.3.0" }
 fundle_macros = { path = "crates/fundle_macros", default-features = false, version = "0.3.0" }
 fundle_macros_impl = { path = "crates/fundle_macros_impl", default-features = false, version = "0.3.0" }
@@ -61,6 +62,7 @@ alloc_tracker = { version = "0.5.9", default-features = false }
 allocator-api2 = { version = "0.4.0", default-features = false }
 anyhow = { version = "1.0.100", default-features = false }
 async-once-cell = { version = "0.5", default-features = false }
+base64 = { version = "0.22", default-features = false, features = ["alloc"] }
 bolero = { version = "0.13.4", default-features = false }
 bumpalo = { version = "3.20.2", default-features = false }
 bytemuck = { version = "1.25", default-features = false }
@@ -122,6 +124,8 @@ regex = { version = "1.12.2", default-features = false }
 rstest = { version = "0.26", default-features = false }
 rustc-hash = { version = "2.1.0", default-features = false }
 rustls = { version = "0.23.40", default-features = false }
+rustls-pki-types = { version = "1.14.1", default-features = false }
+rustls-symcrypt = { version = "0.2.3", default-features = false }
 serde = { version = "1.0.228", default-features = false }
 serde_core = { version = "1.0.228", default-features = false }
 serde_json = { version = "1.0.145", default-features = false }
diff --git a/crates/fetch_tls/CHANGELOG.md b/crates/fetch_tls/CHANGELOG.md
new file mode 100644
index 000000000..825c32f0d
--- /dev/null
+++ b/crates/fetch_tls/CHANGELOG.md
@@ -0,0 +1 @@
+# Changelog
diff --git a/crates/fetch_tls/Cargo.toml b/crates/fetch_tls/Cargo.toml
new file mode 100644
index 000000000..a244fc0a9
--- /dev/null
+++ b/crates/fetch_tls/Cargo.toml
@@ -0,0 +1,52 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+[package]
+name = "fetch_tls"
+description = "TLS configurations and APIs used by 'fetch' crate."
+version = "0.1.0"
+readme = "README.md"
+keywords = ["oxidizer", "tls", "fetch", "http", "client"]
+categories = ["network-programming"]
+
+edition.workspace = true
+rust-version.workspace = true
+authors.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository = "https://github.com/microsoft/oxidizer/tree/main/crates/fetch_tls"
+
+[package.metadata.docs.rs]
+all-features = true
+
+[features]
+default = []
+rustls = ["dep:rustls-symcrypt", "dep:rustls"]
+native-tls = ["dep:native-tls"]
+
+[dependencies]
+# internal
+ohno = { workspace = true }
+
+# external
+http = { workspace = true }
+base64 = { workspace = true }
+# Disabling aws-lc by default; rustls-symcrypt is the intended crypto provider.
+rustls = { workspace = true, features = [
+    "tls12",
+    "std",
+], default-features = false, optional = true }
+rustls-pki-types = { workspace = true, features = ["alloc", "std"] }
+rustls-symcrypt = { workspace = true, optional = true }
+native-tls = { workspace = true, optional = true, features = ["alpn"] }
+
+[dev-dependencies]
+mutants = { workspace = true }
+# Test code unconditionally references both backends; pull them in as
+# dev-dependencies so `cargo test` works with no features enabled.
+rustls = { workspace = true, features = ["tls12", "std"], default-features = false }
+rustls-symcrypt = { workspace = true }
+native-tls = { workspace = true, features = ["alpn"] }
+
+[lints]
+workspace = true
diff --git a/crates/fetch_tls/README.md b/crates/fetch_tls/README.md
new file mode 100644
index 000000000..5c3aecc05
--- /dev/null
+++ b/crates/fetch_tls/README.md
@@ -0,0 +1,52 @@
+<div align="center">
+ <img src="./logo.png" alt="Fetch Tls Logo" width="96">
+
+# Fetch Tls
+
+[![crate.io](https://img.shields.io/crates/v/fetch_tls.svg)](https://crates.io/crates/fetch_tls)
+[![docs.rs](https://docs.rs/fetch_tls/badge.svg)](https://docs.rs/fetch_tls)
+[![MSRV](https://img.shields.io/crates/msrv/fetch_tls)](https://crates.io/crates/fetch_tls)
+[![CI](https://github.com/microsoft/oxidizer/actions/workflows/main.yml/badge.svg?event=push)](https://github.com/microsoft/oxidizer/actions/workflows/main.yml)
+[![Coverage](https://codecov.io/gh/microsoft/oxidizer/graph/badge.svg?token=FCUG0EL5TI)](https://codecov.io/gh/microsoft/oxidizer)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](../../LICENSE)
+<a href="../.."><img src="../../logo.svg" alt="This crate was developed as part of the Oxidizer project" width="20"></a>
+
+</div>
+
+Backend-agnostic TLS configuration for HTTP clients.
+
+Build a [`TlsOptions`][__link0] with [`TlsOptions::builder_rustls`][__link1] or
+[`TlsOptions::builder_native_tls`][__link2], or wrap a pre-built
+[`rustls::ClientConfig`][__link3] /
+[`native_tls::TlsConnector`][__link4] via `From`/`Into`.
+Materialize a [`TlsBackend`][__link5] with [`TlsOptions::build_backend`][__link6].
+
+## Features
+
+* **`rustls`** — pure-Rust [`rustls`][__link7] paired with
+  [`rustls-symcrypt`][__link8] as the crypto provider.
+* **`native-tls`** — platform native TLS (`SChannel` on Windows,
+  Security Framework on macOS, `OpenSSL` on Linux).
+
+With neither feature enabled, [`TlsOptions::default`][__link9] still constructs but
+[`TlsOptions::build_backend`][__link10] returns a [`BackendError`][__link11].
+
+
+<hr/>
+<sub>
+This crate was developed as part of <a href="../..">The Oxidizer Project</a>. Browse this crate's <a href="https://github.com/microsoft/oxidizer/tree/main/crates/fetch_tls">source code</a>.
+</sub>
+
+ [__cargo_doc2readme_dependencies_info]: ggGkYW0CYXSEGy4k8ldDFPOhG2VNeXtD5nnKG6EPY6OfW5wBG8g18NOFNdxpYXKEGz0-gwD02BMqGx-aWk5R-ciAG5SPoepFPbthG4u5TGxqSEiPYWSEgmlmZXRjaF90bHNlMC4xLjCCam5hdGl2ZV90bHNmMC4yLjE4gmZydXN0bHNnMC4yMy40MIJvcnVzdGxzX3N5bWNyeXB0ZTAuMi4z
+ [__link0]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
+ [__link1]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_rustls
+ [__link10]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
+ [__link11]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=BackendError
+ [__link2]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_native_tls
+ [__link3]: https://docs.rs/rustls/0.23.40/rustls/?search=ClientConfig
+ [__link4]: https://docs.rs/native_tls/0.2.18/native_tls/?search=TlsConnector
+ [__link5]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackend
+ [__link6]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
+ [__link7]: https://crates.io/crates/rustls/0.23.40
+ [__link8]: https://crates.io/crates/rustls_symcrypt/0.2.3
+ [__link9]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::default
diff --git a/crates/fetch_tls/favicon.ico b/crates/fetch_tls/favicon.ico
new file mode 100644
index 000000000..ccae81142
--- /dev/null
+++ b/crates/fetch_tls/favicon.ico
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e48225cb42c8ac02df5dd4a9bdba29c1e8d10436cc27055d6a021bcb951d4145
+size 480683
diff --git a/crates/fetch_tls/logo.png b/crates/fetch_tls/logo.png
new file mode 100644
index 000000000..f2bd66915
--- /dev/null
+++ b/crates/fetch_tls/logo.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:63ad64ebb0185d7cd153acc291989d72e3a0094603d8bfe781a220861de247f2
+size 17876
diff --git a/crates/fetch_tls/src/backend.rs b/crates/fetch_tls/src/backend.rs
new file mode 100644
index 000000000..62fc0ec51
--- /dev/null
+++ b/crates/fetch_tls/src/backend.rs
@@ -0,0 +1,122 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! Fully constructed TLS backends ready for use by an HTTP client.
+
+/// Error returned when materializing a [`TlsBackend`] from
+/// [`TlsOptions`](super::TlsOptions) fails.
+#[ohno::error]
+pub struct BackendError;
+
+/// A fully constructed TLS backend ready for use by an HTTP client.
+///
+/// Unlike [`TlsOptions`](super::TlsOptions), which describes *how* to build
+/// a TLS configuration, `TlsBackend` holds the resulting backend-specific
+/// state. Which variants are available depends on enabled features:
+/// [`TlsBackend::Rustls`] requires `rustls`; [`TlsBackend::NativeTls`]
+/// requires `native-tls`.
+///
+/// Typically produced from [`TlsOptions`](super::TlsOptions); construct
+/// directly only when wrapping a pre-built backend.
+#[derive(Debug, Clone)]
+#[allow(
+    clippy::allow_attributes,
+    clippy::large_enum_variant,
+    reason = "configuration object; boxing would clutter the public API without performance benefit"
+)]
+pub enum TlsBackend {
+    /// rustls backend, carrying a shared [`ClientConfig`](::rustls::ClientConfig).
+    #[cfg(any(feature = "rustls", test))]
+    Rustls(std::sync::Arc<::rustls::ClientConfig>),
+
+    /// Platform native TLS backend (`SChannel` on Windows, Security Framework
+    /// on macOS, `OpenSSL` on Linux).
+    #[cfg(any(feature = "native-tls", test))]
+    NativeTls(::native_tls::TlsConnector),
+}
+
+/// Environment-supplied defaults for materializing a [`TlsBackend`].
+///
+/// Lets HTTP client crates own platform / policy choices (such as which
+/// crypto provider or root store to use) without baking them into
+/// `fetch_tls`. Each backend that needs environment state has its own
+/// constructor; native-tls and pre-configured backends ignore defaults.
+///
+/// Use [`TlsBackendDefaults::new`] when no backend-specific state is
+/// required. Building a rustls backend without
+/// [`TlsBackendDefaults::rustls`] returns a [`BackendError`].
+#[derive(Clone, Default)]
+pub struct TlsBackendDefaults {
+    #[cfg(any(feature = "rustls", test))]
+    pub(crate) rustls: Option<RustlsDefaults>,
+}
+
+/// Environment-supplied defaults specific to the rustls backend.
+#[cfg(any(feature = "rustls", test))]
+#[derive(Clone)]
+pub(crate) struct RustlsDefaults {
+    pub(crate) crypto_provider: std::sync::Arc<::rustls::crypto::CryptoProvider>,
+    pub(crate) verifier: std::sync::Arc<dyn ::rustls::client::danger::ServerCertVerifier>,
+}
+
+impl TlsBackendDefaults {
+    /// Creates an empty set of defaults.
+    ///
+    /// Sufficient for native-tls or pre-configured backends; materializing
+    /// a rustls backend with these returns a [`BackendError`].
+    #[must_use]
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    /// Supplies the rustls crypto provider and a fallback server certificate verifier.
+    ///
+    /// The verifier is used only when the caller did not configure one via
+    /// [`TlsOptionsBuilder::server_certificate_verifier`](super::TlsOptionsBuilder::server_certificate_verifier).
+    #[cfg(any(feature = "rustls", test))]
+    #[cfg_attr(docsrs, doc(cfg(feature = "rustls")))]
+    #[must_use]
+    pub fn rustls(
+        crypto_provider: std::sync::Arc<::rustls::crypto::CryptoProvider>,
+        verifier: std::sync::Arc<dyn ::rustls::client::danger::ServerCertVerifier>,
+    ) -> Self {
+        Self {
+            rustls: Some(RustlsDefaults { crypto_provider, verifier }),
+        }
+    }
+}
+
+impl std::fmt::Debug for TlsBackendDefaults {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut s = f.debug_struct("TlsBackendDefaults");
+        #[cfg(any(feature = "rustls", test))]
+        {
+            s.field(
+                "rustls",
+                &self.rustls.as_ref().map(|_| "<rustls CryptoProvider + ServerCertVerifier>"),
+            );
+        }
+        s.finish()
+    }
+}
+
+#[cfg(any(feature = "rustls", test))]
+impl From<::rustls::ClientConfig> for TlsBackend {
+    fn from(config: ::rustls::ClientConfig) -> Self {
+        Self::Rustls(std::sync::Arc::new(config))
+    }
+}
+
+#[cfg(any(feature = "rustls", test))]
+impl From<std::sync::Arc<::rustls::ClientConfig>> for TlsBackend {
+    fn from(config: std::sync::Arc<::rustls::ClientConfig>) -> Self {
+        Self::Rustls(config)
+    }
+}
+
+#[cfg(any(feature = "native-tls", test))]
+impl From<::native_tls::TlsConnector> for TlsBackend {
+    fn from(connector: ::native_tls::TlsConnector) -> Self {
+        Self::NativeTls(connector)
+    }
+}
diff --git a/crates/fetch_tls/src/client_identity.rs b/crates/fetch_tls/src/client_identity.rs
new file mode 100644
index 000000000..46a2e4ff1
--- /dev/null
+++ b/crates/fetch_tls/src/client_identity.rs
@@ -0,0 +1,256 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! Backend-agnostic `mTLS` client identity.
+//!
+//! [`ClientIdentity`] holds a DER-encoded certificate chain and private key
+//! and is consumed by both backends, so `mTLS` is configured the same way
+//! regardless of which backend is selected.
+
+use std::fmt;
+
+use rustls_pki_types::pem::PemObject;
+
+/// Error returned when constructing a [`ClientIdentity`] from key material fails.
+#[ohno::error]
+pub struct ClientIdentityError;
+
+/// Client identity for mutual TLS (`mTLS`) authentication.
+///
+/// Holds the client certificate chain and private key presented during the
+/// TLS handshake. The same value works with either backend; each one
+/// converts the contained DER bytes into its own internal form.
+///
+/// # Example
+///
+/// ```rust,no_run
+/// use fetch_tls::ClientIdentity;
+///
+/// # fn example() -> Result<(), Box<dyn std::error::Error>> {
+/// let cert_pem = std::fs::read("client.pem")?;
+/// let key_pem = std::fs::read("client-key.pem")?;
+/// let identity = ClientIdentity::from_pem(&cert_pem, &key_pem)?;
+/// # let _ = identity;
+/// # Ok(())
+/// # }
+/// ```
+pub struct ClientIdentity {
+    cert_chain: Vec<rustls_pki_types::CertificateDer<'static>>,
+    private_key: rustls_pki_types::PrivateKeyDer<'static>,
+}
+
+impl Clone for ClientIdentity {
+    fn clone(&self) -> Self {
+        Self {
+            cert_chain: self.cert_chain.clone(),
+            // `PrivateKeyDer` does not implement `Clone` because the inner key
+            // material is sensitive; `clone_key` makes the copy explicit.
+            private_key: self.private_key.clone_key(),
+        }
+    }
+}
+
+impl ClientIdentity {
+    /// Creates a client identity from PEM-encoded certificate and private key.
+    ///
+    /// `cert_pem` may contain one or more certificates (leaf first, then
+    /// intermediates). `key_pem` must contain exactly one private key
+    /// (`PKCS#1`, `PKCS#8`, or `SEC1`).
+    ///
+    /// The native-tls backend only accepts `PKCS#8` keys; `PKCS#1` and
+    /// `SEC1` work with rustls but cause native-tls to fail at build time.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if either input is not valid PEM.
+    pub fn from_pem(cert_pem: &[u8], key_pem: &[u8]) -> Result<Self, ClientIdentityError> {
+        let cert_chain: Vec<rustls_pki_types::CertificateDer<'static>> = rustls_pki_types::CertificateDer::pem_slice_iter(cert_pem)
+            .collect::<Result<_, _>>()
+            .map_err(ClientIdentityError::caused_by)?;
+        let private_key = rustls_pki_types::PrivateKeyDer::from_pem_slice(key_pem).map_err(ClientIdentityError::caused_by)?;
+        Ok(Self { cert_chain, private_key })
+    }
+
+    /// Creates a client identity from DER-encoded certificate and private key.
+    ///
+    /// `cert_chain` is leaf-first; `key_der` must be a `PKCS#8`-encoded
+    /// private key.
+    #[must_use]
+    pub fn from_der<I, DER>(cert_chain: I, key_der: DER) -> Self
+    where
+        I: IntoIterator<Item = DER>,
+        DER: AsRef<[u8]>,
+    {
+        let cert_chain = cert_chain
+            .into_iter()
+            .map(|c| rustls_pki_types::CertificateDer::from(c.as_ref().to_vec()))
+            .collect();
+        let private_key = rustls_pki_types::PrivateKeyDer::from(rustls_pki_types::PrivatePkcs8KeyDer::from(key_der.as_ref().to_vec()));
+        Self { cert_chain, private_key }
+    }
+
+    /// Returns the certificate chain as rustls types.
+    #[cfg(any(feature = "rustls", test))]
+    #[cfg_attr(test, mutants::skip)] // trivial accessor, tested via `mTLS` integration
+    pub(crate) fn cert_chain(&self) -> &[rustls_pki_types::CertificateDer<'static>] {
+        &self.cert_chain
+    }
+
+    /// Returns the private key as rustls types.
+    #[cfg(any(feature = "rustls", test))]
+    pub(crate) fn private_key(&self) -> &rustls_pki_types::PrivateKeyDer<'static> {
+        &self.private_key
+    }
+
+    /// Builds a [`native_tls::Identity`] from this client identity.
+    ///
+    /// Re-encodes the DER components as PEM and feeds them to
+    /// [`native_tls::Identity::from_pkcs8`], the format supported across all
+    /// platform backends. Fails if the private key is not `PKCS#8` or if the
+    /// platform native TLS implementation rejects the material.
+    #[cfg(any(feature = "native-tls", test))]
+    pub(crate) fn build_native_identity(&self) -> Result<native_tls::Identity, ClientIdentityError> {
+        let key_pkcs8_der = match &self.private_key {
+            rustls_pki_types::PrivateKeyDer::Pkcs8(key) => key.secret_pkcs8_der(),
+            rustls_pki_types::PrivateKeyDer::Pkcs1(_) | rustls_pki_types::PrivateKeyDer::Sec1(_) => {
+                return Err(ClientIdentityError::caused_by(
+                    "native-tls backend requires a `PKCS#8` private key (got `PKCS#1` or `SEC1`)",
+                ));
+            }
+            _ => {
+                return Err(ClientIdentityError::caused_by("native-tls backend requires a `PKCS#8` private key"));
+            }
+        };
+
+        let mut cert_pem = Vec::new();
+        for cert in &self.cert_chain {
+            write_pem_block(&mut cert_pem, "CERTIFICATE", cert.as_ref());
+        }
+        let mut key_pem = Vec::new();
+        write_pem_block(&mut key_pem, "PRIVATE KEY", key_pkcs8_der);
+
+        native_tls::Identity::from_pkcs8(&cert_pem, &key_pem).map_err(ClientIdentityError::caused_by)
+    }
+}
+
+/// Writes a PEM-encoded object to `out`.
+///
+/// Format per `RFC 7468`: a textual `-----BEGIN <label>-----` line, the body
+/// as `base64` broken into 64-character lines, and a matching
+/// `-----END <label>-----` line.
+#[cfg(any(feature = "native-tls", test))]
+fn write_pem_block(out: &mut Vec<u8>, label: &str, der: &[u8]) {
+    use std::io::Write;
+
+    use base64::Engine as _;
+
+    let body = base64::engine::general_purpose::STANDARD.encode(der);
+    writeln!(out, "-----BEGIN {label}-----").expect("writing to Vec cannot fail");
+    for line in body.as_bytes().chunks(64) {
+        out.extend_from_slice(line);
+        out.push(b'\n');
+    }
+    writeln!(out, "-----END {label}-----").expect("writing to Vec cannot fail");
+}
+
+impl fmt::Debug for ClientIdentity {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("ClientIdentity")
+            .field("cert_chain_len", &self.cert_chain.len())
+            .field("private_key", &"<redacted>")
+            .finish()
+    }
+}
+
+#[cfg(test)]
+#[cfg_attr(coverage_nightly, coverage(off))]
+mod tests {
+    use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs1KeyDer, PrivateSec1KeyDer};
+
+    use super::*;
+
+    #[test]
+    fn from_pem_fails_for_invalid_pem() {
+        ClientIdentity::from_pem(b"not a pem", b"not a key").unwrap_err();
+    }
+
+    #[test]
+    fn from_der_constructs_identity() {
+        let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
+        assert_eq!(identity.cert_chain.len(), 1);
+    }
+
+    #[test]
+    fn clone_preserves_cert_chain_length() {
+        let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00], vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
+        let cloned = identity.clone();
+        assert_eq!(identity.cert_chain.len(), 2);
+        assert_eq!(cloned.cert_chain.len(), 2);
+    }
+
+    #[test]
+    fn debug_redacts_private_key() {
+        let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
+        let debug_output = format!("{identity:?}");
+        assert!(debug_output.contains("<redacted>"));
+        assert!(debug_output.contains("cert_chain_len: 1"));
+    }
+
+    #[test]
+    // Miri can't execute the platform TLS FFI (`CertOpenStore` on Windows, etc.)
+    // that `native_tls::Identity::from_pkcs8` invokes to validate the inputs.
+    #[cfg_attr(miri, ignore)]
+    fn build_native_identity_fails_for_invalid_certificate() {
+        let identity = ClientIdentity::from_der(vec![vec![0xffu8, 0xff]], vec![0x30u8, 0x00]);
+
+        let Err(err) = identity.build_native_identity() else {
+            panic!("expected error for invalid certificate");
+        };
+        // The PKCS#8 key must be accepted by the match (the failure should come
+        // from `native_tls` rejecting the bogus certificate, not from our own
+        // "requires a `PKCS#8` private key" guard).
+        let msg = format!("{err}");
+        assert!(
+            !msg.contains("requires a `PKCS#8` private key"),
+            "PKCS#8 key was incorrectly rejected: {msg}"
+        );
+    }
+
+    #[test]
+    fn build_native_identity_rejects_pkcs1_key() {
+        // Construct directly so the private key is the `PKCS#1` variant rather
+        // than the `PKCS#8` wrapper that `from_der` produces.
+        let identity = ClientIdentity {
+            cert_chain: vec![CertificateDer::from(vec![0x30, 0x00])],
+            private_key: PrivateKeyDer::Pkcs1(PrivatePkcs1KeyDer::from(vec![0x30, 0x00])),
+        };
+
+        let Err(err) = identity.build_native_identity() else {
+            panic!("expected error for PKCS#1 key");
+        };
+        assert!(format!("{err}").contains("`PKCS#1` or `SEC1`"));
+    }
+
+    #[test]
+    fn build_native_identity_rejects_sec1_key() {
+        let identity = ClientIdentity {
+            cert_chain: vec![CertificateDer::from(vec![0x30, 0x00])],
+            private_key: PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(vec![0x30, 0x00])),
+        };
+
+        let Err(err) = identity.build_native_identity() else {
+            panic!("expected error for SEC1 key");
+        };
+        assert!(format!("{err}").contains("`PKCS#1` or `SEC1`"));
+    }
+
+    #[test]
+    fn write_pem_block_round_trips() {
+        let mut out = Vec::new();
+        write_pem_block(&mut out, "PRIVATE KEY", b"hello");
+        let text = std::str::from_utf8(&out).unwrap();
+        assert!(text.starts_with("-----BEGIN PRIVATE KEY-----\n"));
+        assert!(text.contains("aGVsbG8=")); // base64("hello")
+        assert!(text.trim_end().ends_with("-----END PRIVATE KEY-----"));
+    }
+}
diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
new file mode 100644
index 000000000..6e5f9a3d4
--- /dev/null
+++ b/crates/fetch_tls/src/lib.rs
@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#![cfg_attr(coverage_nightly, feature(coverage_attribute))]
+#![cfg_attr(docsrs, feature(doc_cfg))]
+#![doc(html_logo_url = "https://media.githubusercontent.com/media/microsoft/oxidizer/refs/heads/main/crates/fetch_tls/logo.png")]
+#![doc(html_favicon_url = "https://media.githubusercontent.com/media/microsoft/oxidizer/refs/heads/main/crates/fetch_tls/favicon.ico")]
+
+//! Backend-agnostic TLS configuration for HTTP clients.
+//!
+//! Build a [`TlsOptions`] with [`TlsOptions::builder_rustls`] or
+//! [`TlsOptions::builder_native_tls`], or wrap a pre-built
+//! [`rustls::ClientConfig`](::rustls::ClientConfig) /
+//! [`native_tls::TlsConnector`](::native_tls::TlsConnector) via `From`/`Into`.
+//! Materialize a [`TlsBackend`] with [`TlsOptions::build_backend`].
+//!
+//! # Features
+//!
+//! - **`rustls`** — pure-Rust [`rustls`](::rustls) paired with
+//!   [`rustls-symcrypt`](::rustls_symcrypt) as the crypto provider.
+//! - **`native-tls`** — platform native TLS (`SChannel` on Windows,
+//!   Security Framework on macOS, `OpenSSL` on Linux).
+//!
+//! With neither feature enabled, [`TlsOptions::default`] still constructs but
+//! [`TlsOptions::build_backend`] returns a [`BackendError`].
+
+mod backend;
+mod options;
+
+pub use backend::{BackendError, TlsBackend, TlsBackendDefaults};
+pub use options::{TlsOptions, TlsOptionsBuilder};
+
+mod client_identity;
+pub use client_identity::{ClientIdentity, ClientIdentityError};
+
+#[cfg(any(feature = "native-tls", test))]
+mod native_tls;
+#[cfg(any(feature = "native-tls", test))]
+pub use native_tls::NativeTlsOptions;
+
+#[cfg(any(feature = "rustls", test))]
+mod rustls;
+#[cfg(any(feature = "rustls", test))]
+pub use rustls::{RustlsOptions, ServerCertVerifierFactory};
+
+#[cfg(test)]
+mod testing;
diff --git a/crates/fetch_tls/src/native_tls.rs b/crates/fetch_tls/src/native_tls.rs
new file mode 100644
index 000000000..85905d766
--- /dev/null
+++ b/crates/fetch_tls/src/native_tls.rs
@@ -0,0 +1,177 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! Platform native TLS backend configuration and builder integration.
+
+use http::Version;
+use native_tls::TlsConnector;
+
+use crate::backend::BackendError;
+use crate::options::{SharedOptions, TlsOptions, TlsOptionsBuilder, TlsOptionsKind};
+
+// Application-Layer Protocol Negotiation identifiers; see
+// <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>.
+const HTTP_11_ALPN: &str = "http/1.1";
+const HTTP_2_ALPN: &str = "h2";
+
+/// Platform native TLS backend.
+#[derive(Clone)]
+#[non_exhaustive]
+pub struct NativeTlsOptions;
+
+impl std::fmt::Debug for NativeTlsOptions {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("NativeTlsOptions").finish()
+    }
+}
+
+impl NativeTlsOptions {
+    pub(crate) fn new() -> Self {
+        Self
+    }
+
+    /// Materializes this configuration into a [`native_tls::TlsConnector`].
+    #[expect(clippy::unused_self, reason = "method takes self for symmetry with RustlsOptions::build")]
+    pub(crate) fn build(self, shared: &SharedOptions) -> Result<TlsConnector, BackendError> {
+        let mut builder = native_tls::TlsConnector::builder();
+        builder
+            .request_alpns(map_to_alpn(&shared.supported_http_versions))
+            .min_protocol_version(Some(native_tls::Protocol::Tlsv12));
+
+        if let Some(identity) = shared.client_identity.as_ref() {
+            let native_identity = identity.build_native_identity().map_err(BackendError::caused_by)?;
+            builder.identity(native_identity);
+        }
+
+        builder.build().map_err(BackendError::caused_by)
+    }
+}
+
+fn map_to_alpn(versions: &[Version]) -> &[&str] {
+    let http1 = versions.contains(&Version::HTTP_11) || versions.contains(&Version::HTTP_10);
+    let http2 = versions.contains(&Version::HTTP_2);
+    if http2 && http1 {
+        &[HTTP_2_ALPN, HTTP_11_ALPN]
+    } else if http2 {
+        &[HTTP_2_ALPN]
+    } else if http1 {
+        &[HTTP_11_ALPN]
+    } else {
+        &[]
+    }
+}
+
+impl TlsOptions {
+    /// Creates a builder for the platform native TLS backend.
+    pub fn builder_native_tls() -> TlsOptionsBuilder<NativeTlsOptions> {
+        TlsOptionsBuilder {
+            backend: NativeTlsOptions::new(),
+            shared: SharedOptions::default(),
+        }
+    }
+}
+
+/// Wraps a pre-built [`native_tls::TlsConnector`] as [`TlsOptions`].
+impl From<TlsConnector> for TlsOptions {
+    fn from(connector: TlsConnector) -> Self {
+        Self {
+            inner: TlsOptionsKind::PreConfigured(connector.into()),
+            shared: SharedOptions::default(),
+        }
+    }
+}
+
+impl TlsOptionsBuilder<NativeTlsOptions> {
+    /// Builds the final [`TlsOptions`] with the native TLS backend.
+    pub fn build(self) -> TlsOptions {
+        TlsOptions {
+            inner: TlsOptionsKind::NativeTls(self.backend),
+            shared: self.shared,
+        }
+    }
+}
+
+#[cfg(test)]
+#[cfg_attr(coverage_nightly, coverage(off))]
+mod tests {
+    use super::*;
+    use crate::client_identity::ClientIdentity;
+
+    #[test]
+    fn builder_native_tls_starts_empty() {
+        let builder = TlsOptions::builder_native_tls();
+        assert!(builder.shared.client_identity.is_none());
+    }
+
+    #[test]
+    fn build_produces_native_tls_options() {
+        let tls = TlsOptions::builder_native_tls().build();
+        assert!(matches!(tls.inner, TlsOptionsKind::NativeTls(_)));
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)] // native-tls touches platform TLS FFI
+    fn tls_options_from_tls_connector_wraps_as_preconfigured() {
+        let connector = native_tls::TlsConnector::builder().build().expect("builds");
+        let tls = TlsOptions::from(connector);
+        assert!(matches!(tls.inner, TlsOptionsKind::PreConfigured(_)));
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_fails_for_invalid_client_identity() {
+        let identity = ClientIdentity::from_der(vec![vec![0xffu8, 0xff]], vec![0x30u8, 0x00]);
+        let tls = TlsOptions::builder_native_tls().client_identity(identity).build();
+        tls.build_backend(&crate::TlsBackendDefaults::new())
+            .expect_err("expected build_backend to fail for invalid certificate");
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_produces_tls_connector() {
+        NativeTlsOptions::new().build(&SharedOptions::default()).unwrap();
+    }
+
+    #[test]
+    fn map_to_alpn_http1_and_http2() {
+        assert_eq!(map_to_alpn(&[Version::HTTP_11, Version::HTTP_2]), &["h2", "http/1.1"]);
+    }
+
+    #[test]
+    fn map_to_alpn_http2_only() {
+        assert_eq!(map_to_alpn(&[Version::HTTP_2]), &["h2"]);
+    }
+
+    #[test]
+    fn map_to_alpn_http11_only() {
+        assert_eq!(map_to_alpn(&[Version::HTTP_11]), &["http/1.1"]);
+    }
+
+    #[test]
+    fn map_to_alpn_http10_aliases_to_http1() {
+        assert_eq!(map_to_alpn(&[Version::HTTP_10]), &["http/1.1"]);
+    }
+
+    #[test]
+    fn map_to_alpn_empty() {
+        let empty: &[&str] = &[];
+        assert_eq!(map_to_alpn(&[]), empty);
+    }
+
+    #[test]
+    fn map_to_alpn_http3_only_is_empty() {
+        let empty: &[&str] = &[];
+        assert_eq!(map_to_alpn(&[Version::HTTP_3]), empty);
+    }
+
+    #[test]
+    fn map_to_alpn_http10_and_http2() {
+        assert_eq!(map_to_alpn(&[Version::HTTP_10, Version::HTTP_2]), &["h2", "http/1.1"]);
+    }
+
+    #[test]
+    fn debug_renders_presence_only() {
+        let s = format!("{:?}", NativeTlsOptions::new());
+        assert!(s.contains("NativeTlsOptions"));
+    }
+}
diff --git a/crates/fetch_tls/src/options.rs b/crates/fetch_tls/src/options.rs
new file mode 100644
index 000000000..e123779ab
--- /dev/null
+++ b/crates/fetch_tls/src/options.rs
@@ -0,0 +1,334 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! [`TlsOptions`] and its type-state builder [`TlsOptionsBuilder`].
+
+use http::Version;
+
+use crate::backend::BackendError;
+use crate::client_identity::ClientIdentity;
+use crate::{TlsBackend, TlsBackendDefaults};
+
+/// Internal representation of a TLS configuration.
+#[derive(Debug, Clone)]
+#[allow(
+    clippy::allow_attributes,
+    clippy::large_enum_variant,
+    dead_code,
+    reason = "configuration object; variants are consumed by downstream HTTP client crates that materialize TLS backends from TlsOptions"
+)]
+pub(crate) enum TlsOptionsKind {
+    /// No backend selected. Produced by [`TlsOptions::empty`] (and by
+    /// [`TlsOptions::default`] when neither the `rustls` nor `native-tls`
+    /// feature is enabled). Calling [`TlsOptions::build_backend`] on such
+    /// options returns a [`BackendError`].
+    Empty,
+
+    /// Pre-configured TLS backend, used as-is without any modifications.
+    PreConfigured(TlsBackend),
+
+    /// rustls backend.
+    #[cfg(any(feature = "rustls", test))]
+    Rustls(super::rustls::RustlsOptions),
+
+    /// Platform native TLS backend.
+    #[cfg(any(feature = "native-tls", test))]
+    NativeTls(super::native_tls::NativeTlsOptions),
+}
+
+/// TLS configuration for an HTTP client.
+///
+/// Use [`TlsOptions::builder_rustls`] or [`TlsOptions::builder_native_tls`]
+/// to configure a backend from scratch, or convert from a pre-built
+/// [`rustls::ClientConfig`](::rustls::ClientConfig) /
+/// [`native_tls::TlsConnector`](::native_tls::TlsConnector) via
+/// [`From`]/[`Into`] to wrap a backend you have already built.
+///
+/// # Examples
+///
+/// Minimal rustls-backed [`TlsOptions`] using default settings; supply a
+/// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls) when
+/// calling [`TlsOptions::build_backend`] to materialize a backend:
+///
+/// ```rust,no_run
+/// # #[cfg(feature = "rustls")] {
+/// use fetch_tls::TlsOptions;
+///
+/// let tls = TlsOptions::builder_rustls().build();
+/// # }
+/// ```
+///
+/// Minimal native-tls-backed [`TlsOptions`] using default settings; no
+/// backend defaults are required to materialize the backend:
+///
+/// ```rust,no_run
+/// # #[cfg(feature = "native-tls")] {
+/// use fetch_tls::TlsOptions;
+///
+/// let tls = TlsOptions::builder_native_tls().build();
+/// # }
+/// ```
+#[derive(Debug, Clone)]
+#[must_use]
+pub struct TlsOptions {
+    #[allow(
+        clippy::allow_attributes,
+        dead_code,
+        reason = "consumed by downstream HTTP client crates that materialize a TlsBackend from TlsOptions"
+    )]
+    pub(crate) inner: TlsOptionsKind,
+    pub(crate) shared: SharedOptions,
+}
+
+#[derive(Debug, Clone)]
+pub(crate) struct SharedOptions {
+    pub(crate) supported_http_versions: Vec<Version>,
+    pub(crate) client_identity: Option<ClientIdentity>,
+}
+
+impl Default for SharedOptions {
+    fn default() -> Self {
+        Self {
+            supported_http_versions: vec![Version::HTTP_11, Version::HTTP_2],
+            client_identity: None,
+        }
+    }
+}
+
+impl TlsOptions {
+    /// HTTP versions the caller intends to negotiate. Backends use this list
+    /// to compute the `ALPN` protocols offered during the TLS handshake.
+    #[must_use]
+    pub fn supported_http_versions(&self) -> &[Version] {
+        &self.shared.supported_http_versions
+    }
+
+    /// Creates an empty [`TlsOptions`] with no backend selected.
+    ///
+    /// [`TlsOptions::build_backend`] returns a [`BackendError`]. Used by
+    /// [`TlsOptions::default`] when neither TLS feature is enabled.
+    #[cfg(any(test, not(any(feature = "rustls", feature = "native-tls"))))]
+    fn empty() -> Self {
+        Self {
+            inner: TlsOptionsKind::Empty,
+            shared: SharedOptions::default(),
+        }
+    }
+
+    /// Materializes these options into a [`TlsBackend`] using `defaults`.
+    ///
+    /// - rustls — requires [`TlsBackendDefaults::rustls`]; values configured
+    ///   on the builder take precedence over those in `defaults`.
+    /// - native-tls — `defaults` is ignored.
+    /// - pre-configured — the wrapped backend is returned unchanged.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`BackendError`] if no backend is selected, if required
+    /// rustls defaults are missing, or if backend construction fails (for
+    /// example, invalid client identity material).
+    pub fn build_backend(self, defaults: &TlsBackendDefaults) -> Result<TlsBackend, BackendError> {
+        let _ = defaults;
+        match self.inner {
+            TlsOptionsKind::Empty => Err(BackendError::caused_by(
+                "no TLS backend is configured; enable the `rustls` or `native-tls` feature, or construct TlsOptions via one of its builders",
+            )),
+            TlsOptionsKind::PreConfigured(backend) => Ok(backend),
+            #[cfg(any(feature = "rustls", test))]
+            TlsOptionsKind::Rustls(rustls_backend) => {
+                let config = rustls_backend.build(defaults.rustls.as_ref(), &self.shared)?;
+                Ok(TlsBackend::Rustls(std::sync::Arc::new(config)))
+            }
+            #[cfg(any(feature = "native-tls", test))]
+            TlsOptionsKind::NativeTls(native_backend) => {
+                let connector = native_backend.build(&self.shared)?;
+                Ok(TlsBackend::NativeTls(connector))
+            }
+        }
+    }
+}
+
+/// Picks a default TLS backend from enabled features:
+/// `rustls` if available, else `native-tls`, else [`TlsOptions::empty`].
+impl Default for TlsOptions {
+    fn default() -> Self {
+        #[cfg(feature = "rustls")]
+        {
+            Self::builder_rustls().build()
+        }
+        #[cfg(all(feature = "native-tls", not(feature = "rustls")))]
+        {
+            Self::builder_native_tls().build()
+        }
+        #[cfg(not(any(feature = "native-tls", feature = "rustls")))]
+        {
+            Self::empty()
+        }
+    }
+}
+
+/// Type-state builder for [`TlsOptions`], parameterized by backend.
+///
+/// `B` selects the backend: [`RustlsOptions`](super::RustlsOptions) (rustls)
+/// or [`NativeTlsOptions`](super::NativeTlsOptions) (platform native).
+/// Obtain via [`TlsOptions::builder_rustls`] or
+/// [`TlsOptions::builder_native_tls`], then call `.build()`.
+#[derive(Debug, Clone)]
+#[must_use]
+pub struct TlsOptionsBuilder<B> {
+    #[allow(
+        clippy::allow_attributes,
+        dead_code,
+        reason = "Read by feature-gated backend impls (rustls/native-tls); unused when neither feature is enabled."
+    )]
+    pub(crate) backend: B,
+    pub(crate) shared: SharedOptions,
+}
+
+impl<B> TlsOptionsBuilder<B> {
+    /// Sets the HTTP versions the client intends to negotiate.
+    ///
+    /// Backends derive the advertised `ALPN` protocols from this list.
+    pub fn supported_http_versions(mut self, versions: &[Version]) -> Self {
+        self.shared.supported_http_versions = versions.to_vec();
+        self
+    }
+
+    /// Sets the client identity for mutual TLS (`mTLS`) authentication.
+    ///
+    /// The same identity works for either backend; backend-specific
+    /// conversion happens in [`TlsOptions::build_backend`]. The native-tls
+    /// backend requires the private key to be `PKCS#8`.
+    pub fn client_identity(mut self, identity: ClientIdentity) -> Self {
+        self.shared.client_identity = Some(identity);
+        self
+    }
+}
+
+#[cfg(test)]
+#[cfg_attr(coverage_nightly, coverage(off))]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn default_supported_http_versions_is_http1_and_http2() {
+        let shared = SharedOptions::default();
+        assert_eq!(shared.supported_http_versions, vec![Version::HTTP_11, Version::HTTP_2]);
+    }
+
+    #[test]
+    fn empty_constructs_empty_variant() {
+        let tls = TlsOptions::empty();
+        assert!(matches!(tls.inner, TlsOptionsKind::Empty));
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn empty_build_backend_returns_error() {
+        let defaults = TlsBackendDefaults::new();
+
+        let err = TlsOptions::empty().build_backend(&defaults).unwrap_err();
+        let msg = format!("{err}");
+        assert!(msg.contains("no TLS backend"), "unexpected error: {msg}");
+    }
+
+    #[cfg(feature = "rustls")]
+    #[test]
+    fn default_selects_rustls_when_feature_enabled() {
+        let tls = TlsOptions::default();
+        assert!(matches!(tls.inner, TlsOptionsKind::Rustls(_)));
+    }
+
+    #[cfg(all(feature = "native-tls", not(feature = "rustls")))]
+    #[test]
+    fn default_selects_native_tls_when_only_native_tls_enabled() {
+        let tls = TlsOptions::default();
+        assert!(matches!(tls.inner, TlsOptionsKind::NativeTls(_)));
+    }
+
+    #[cfg(not(any(feature = "rustls", feature = "native-tls")))]
+    #[test]
+    fn default_is_empty_when_no_features_enabled() {
+        let tls = TlsOptions::default();
+        assert!(matches!(tls.inner, TlsOptionsKind::Empty));
+    }
+
+    #[cfg(feature = "rustls")]
+    #[test]
+    fn supported_http_versions_round_trips() {
+        let tls = TlsOptions::builder_rustls()
+            .supported_http_versions(&[Version::HTTP_11, Version::HTTP_2])
+            .build();
+        assert_eq!(tls.supported_http_versions(), &[Version::HTTP_11, Version::HTTP_2]);
+    }
+
+    #[cfg(feature = "rustls")]
+    mod build_backend_rustls {
+        use std::sync::Arc;
+
+        use super::*;
+        use crate::testing::AcceptAllServerCertVerifier as AcceptAll;
+
+        fn defaults() -> TlsBackendDefaults {
+            TlsBackendDefaults::rustls(Arc::new(rustls_symcrypt::default_symcrypt_provider()), Arc::new(AcceptAll))
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn rustls_falls_back_to_default_verifier() {
+            let tls = TlsOptions::builder_rustls().build();
+            let backend = tls.build_backend(&defaults()).unwrap();
+            assert!(matches!(backend, TlsBackend::Rustls(_)));
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn rustls_uses_caller_verifier_when_set() {
+            let tls = TlsOptions::builder_rustls()
+                .server_certificate_verifier(|_| Arc::new(AcceptAll))
+                .build();
+            let backend = tls.build_backend(&defaults()).unwrap();
+            assert!(matches!(backend, TlsBackend::Rustls(_)));
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn rustls_without_defaults_returns_error() {
+            let tls = TlsOptions::builder_rustls().build();
+            let err = tls.build_backend(&TlsBackendDefaults::new()).unwrap_err();
+            let msg = format!("{err}");
+            assert!(msg.contains("crypto provider"), "unexpected error: {msg}");
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn preconfigured_passes_backend_through_unchanged() {
+            let config = rustls::ClientConfig::builder_with_provider(Arc::new(rustls_symcrypt::default_symcrypt_provider()))
+                .with_safe_default_protocol_versions()
+                .unwrap()
+                .dangerous()
+                .with_custom_certificate_verifier(Arc::new(AcceptAll))
+                .with_no_client_auth();
+            let tls = TlsOptions::from(config);
+            let backend = tls.build_backend(&defaults()).unwrap();
+            assert!(matches!(backend, TlsBackend::Rustls(_)));
+        }
+    }
+
+    #[cfg(feature = "native-tls")]
+    mod build_backend_native_tls {
+        use super::*;
+
+        fn defaults() -> TlsBackendDefaults {
+            TlsBackendDefaults::new()
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn native_tls_ignores_rustls_defaults() {
+            let tls = TlsOptions::builder_native_tls().build();
+            let backend = tls.build_backend(&defaults()).unwrap();
+            assert!(matches!(backend, TlsBackend::NativeTls(_)));
+        }
+    }
+}
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
new file mode 100644
index 000000000..ef2d76555
--- /dev/null
+++ b/crates/fetch_tls/src/rustls.rs
@@ -0,0 +1,393 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! Rustls backend configuration and builder integration.
+
+use std::sync::Arc;
+
+use rustls::ClientConfig;
+use rustls::client::ResolvesClientCert;
+use rustls::client::danger::ServerCertVerifier;
+use rustls::crypto::CryptoProvider;
+
+use crate::backend::BackendError;
+use crate::options::{SharedOptions, TlsOptions, TlsOptionsBuilder, TlsOptionsKind};
+
+/// Factory that builds a [`ServerCertVerifier`] from the negotiated
+/// [`CryptoProvider`].
+///
+/// Verifiers commonly need the same crypto provider as the rest of the TLS
+/// stack (for example, to share signature-verification algorithms), so the
+/// builder defers construction until the provider is known.
+pub type ServerCertVerifierFactory = dyn Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync;
+
+/// Rustls TLS backend configuration.
+#[derive(Clone)]
+pub struct RustlsOptions {
+    pub(crate) crypto_provider: Option<Arc<CryptoProvider>>,
+    pub(crate) verifier_factory: Option<Arc<ServerCertVerifierFactory>>,
+    pub(crate) client_identity_resolver: Option<Arc<dyn ResolvesClientCert>>,
+}
+
+impl std::fmt::Debug for RustlsOptions {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        // `dyn ServerCertVerifier` and `dyn ResolvesClientCert` do not
+        // implement `Debug`; render only presence so we don't have to require
+        // Debug on opaque user-supplied types.
+        f.debug_struct("RustlsOptions")
+            .field("crypto_provider", &self.crypto_provider.as_ref().map(|_| "<custom CryptoProvider>"))
+            .field(
+                "verifier_factory",
+                &self.verifier_factory.as_ref().map(|_| "<custom verifier factory>"),
+            )
+            .field(
+                "client_identity_resolver",
+                &self.client_identity_resolver.as_ref().map(|_| "<custom resolver>"),
+            )
+            .finish()
+    }
+}
+
+impl RustlsOptions {
+    pub(crate) fn new() -> Self {
+        Self {
+            crypto_provider: None,
+            verifier_factory: None,
+            client_identity_resolver: None,
+        }
+    }
+
+    /// Materializes this configuration into a [`rustls::ClientConfig`].
+    pub(crate) fn build(
+        self,
+        defaults: Option<&crate::backend::RustlsDefaults>,
+        shared: &SharedOptions,
+    ) -> Result<ClientConfig, BackendError> {
+        let crypto_provider = self
+            .crypto_provider
+            .or_else(|| defaults.map(|d| Arc::clone(&d.crypto_provider)))
+            .ok_or_else(|| {
+                BackendError::caused_by(
+                    "rustls crypto provider not supplied; set it via TlsOptionsBuilder::crypto_provider or TlsBackendDefaults::rustls(...)",
+                )
+            })?;
+        let verifier = match self.verifier_factory {
+            Some(factory) => factory(Arc::clone(&crypto_provider)),
+            None => defaults.map(|d| Arc::clone(&d.verifier)).ok_or_else(|| {
+                BackendError::caused_by(
+                    "rustls server certificate verifier not supplied; set it via TlsOptionsBuilder::server_certificate_verifier or TlsBackendDefaults::rustls(...)",
+                )
+            })?,
+        };
+
+        let builder = ClientConfig::builder_with_provider(crypto_provider)
+            .with_safe_default_protocol_versions()
+            .map_err(BackendError::caused_by)?
+            .dangerous()
+            .with_custom_certificate_verifier(verifier);
+
+        match (self.client_identity_resolver, shared.client_identity.as_ref()) {
+            (Some(resolver), _) => Ok(builder.with_client_cert_resolver(resolver)),
+            (None, Some(identity)) => builder
+                .with_client_auth_cert(identity.cert_chain().to_vec(), identity.private_key().clone_key())
+                .map_err(BackendError::caused_by),
+            (None, None) => Ok(builder.with_no_client_auth()),
+        }
+    }
+}
+
+impl TlsOptions {
+    /// Creates a builder for the rustls backend.
+    pub fn builder_rustls() -> TlsOptionsBuilder<RustlsOptions> {
+        TlsOptionsBuilder {
+            backend: RustlsOptions::new(),
+            shared: SharedOptions::default(),
+        }
+    }
+}
+
+/// Wraps a pre-built [`rustls::ClientConfig`] as [`TlsOptions`].
+impl From<ClientConfig> for TlsOptions {
+    fn from(config: ClientConfig) -> Self {
+        Self {
+            inner: TlsOptionsKind::PreConfigured(config.into()),
+            shared: SharedOptions::default(),
+        }
+    }
+}
+
+/// Wraps a pre-built `Arc<rustls::ClientConfig>` as [`TlsOptions`], avoiding
+/// a clone when the config is shared across clients.
+impl From<Arc<ClientConfig>> for TlsOptions {
+    fn from(config: Arc<ClientConfig>) -> Self {
+        Self {
+            inner: TlsOptionsKind::PreConfigured(config.into()),
+            shared: SharedOptions::default(),
+        }
+    }
+}
+
+impl TlsOptionsBuilder<RustlsOptions> {
+    /// Sets the rustls [`CryptoProvider`](rustls::crypto::CryptoProvider).
+    ///
+    /// Overrides the provider supplied by
+    /// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls).
+    /// If neither source supplies one, [`TlsOptions::build_backend`] returns
+    /// a [`BackendError`](crate::BackendError).
+    pub fn crypto_provider(mut self, crypto_provider: Arc<rustls::crypto::CryptoProvider>) -> Self {
+        self.backend.crypto_provider = Some(crypto_provider);
+        self
+    }
+
+    /// Sets a factory that builds the server certificate verifier from the
+    /// negotiated [`CryptoProvider`].
+    ///
+    /// The factory is invoked during [`TlsOptions::build_backend`] with the
+    /// provider resolved from this builder or
+    /// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls).
+    /// Callers that don't need the provider can simply ignore the argument
+    /// and return a pre-built verifier (for example, `|_| Arc::new(MyVerifier)`).
+    ///
+    /// Overrides the verifier supplied by
+    /// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls).
+    /// If neither source supplies one, [`TlsOptions::build_backend`] returns
+    /// a [`BackendError`](crate::BackendError).
+    pub fn server_certificate_verifier<F>(mut self, factory: F) -> Self
+    where
+        F: Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync + 'static,
+    {
+        self.backend.verifier_factory = Some(Arc::new(factory));
+        self
+    }
+
+    /// Sets a [`ResolvesClientCert`] for mutual TLS authentication.
+    ///
+    /// Use this when the private key lives behind an external signing oracle
+    /// (`HSM`, secure enclave, etc.) instead of in memory. Takes precedence
+    /// over [`TlsOptionsBuilder::client_identity`](crate::TlsOptionsBuilder::client_identity).
+    pub fn client_identity_resolver(mut self, resolver: Arc<dyn ResolvesClientCert>) -> Self {
+        self.backend.client_identity_resolver = Some(resolver);
+        self
+    }
+
+    /// Builds the final [`TlsOptions`] with the rustls backend.
+    pub fn build(self) -> TlsOptions {
+        TlsOptions {
+            inner: TlsOptionsKind::Rustls(self.backend),
+            shared: self.shared,
+        }
+    }
+}
+
+#[cfg(test)]
+#[cfg_attr(coverage_nightly, coverage(off))]
+mod tests {
+    use super::*;
+    use crate::backend::RustlsDefaults;
+    use crate::client_identity::ClientIdentity;
+    use crate::testing::{AcceptAllServerCertVerifier as AcceptAll, NoClientCertResolver as StubResolver};
+
+    fn provider() -> Arc<rustls::crypto::CryptoProvider> {
+        Arc::new(rustls_symcrypt::default_symcrypt_provider())
+    }
+
+    fn defaults() -> RustlsDefaults {
+        RustlsDefaults {
+            crypto_provider: provider(),
+            verifier: Arc::new(AcceptAll),
+        }
+    }
+
+    fn shared_with(identity: Option<ClientIdentity>) -> SharedOptions {
+        SharedOptions {
+            client_identity: identity,
+            ..SharedOptions::default()
+        }
+    }
+
+    #[test]
+    fn new_defaults_to_none() {
+        let rustls = RustlsOptions::new();
+        assert!(rustls.crypto_provider.is_none());
+        assert!(rustls.verifier_factory.is_none());
+        assert!(rustls.client_identity_resolver.is_none());
+    }
+
+    #[test]
+    fn builder_rustls_returns_rustls_backend() {
+        let builder = TlsOptions::builder_rustls();
+        assert!(builder.backend.crypto_provider.is_none());
+        assert!(builder.backend.verifier_factory.is_none());
+        assert!(builder.backend.client_identity_resolver.is_none());
+    }
+
+    #[test]
+    fn server_certificate_verifier_stores_verifier() {
+        let builder = TlsOptions::builder_rustls().server_certificate_verifier(|_| Arc::new(AcceptAll));
+        assert!(builder.backend.verifier_factory.is_some());
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn server_certificate_verifier_factory_receives_provider() {
+        use std::sync::atomic::{AtomicBool, Ordering};
+
+        static CALLED: AtomicBool = AtomicBool::new(false);
+        let rustls_backend = RustlsOptions {
+            crypto_provider: Some(provider()),
+            verifier_factory: Some(Arc::new(|_provider| {
+                CALLED.store(true, Ordering::SeqCst);
+                Arc::new(AcceptAll)
+            })),
+            client_identity_resolver: None,
+        };
+        rustls_backend.build(None, &shared_with(None)).unwrap();
+        assert!(CALLED.load(Ordering::SeqCst));
+    }
+
+    #[test]
+    fn crypto_provider_stores_provider() {
+        let builder = TlsOptions::builder_rustls().crypto_provider(provider());
+        assert!(builder.backend.crypto_provider.is_some());
+    }
+
+    #[test]
+    fn client_identity_sets_identity_in_shared() {
+        let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
+        let builder = TlsOptions::builder_rustls().client_identity(identity);
+        assert!(builder.shared.client_identity.is_some());
+    }
+
+    #[test]
+    fn rustls_build_produces_tls_options() {
+        let tls = TlsOptions::builder_rustls().build();
+        assert!(matches!(tls.inner, TlsOptionsKind::Rustls(_)));
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)] // `rustls-symcrypt` FFI does not run under Miri
+    fn build_produces_client_config_without_identity() {
+        let _config = TlsOptions::builder_rustls()
+            .server_certificate_verifier(|_| Arc::new(AcceptAll))
+            .build();
+        // Re-build the underlying backend (since `.build()` consumed it) to
+        // also exercise the path that produces `rustls::ClientConfig`.
+        let rustls_backend = RustlsOptions {
+            crypto_provider: None,
+            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            client_identity_resolver: None,
+        };
+        rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_returns_error_on_invalid_client_identity() {
+        let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
+        let rustls_backend = RustlsOptions {
+            crypto_provider: None,
+            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            client_identity_resolver: None,
+        };
+        let err = rustls_backend.build(Some(&defaults()), &shared_with(Some(identity))).unwrap_err();
+        // Surface a debug-format check so we know the underlying rustls error is wrapped.
+        let msg = format!("{err}");
+        assert!(!msg.is_empty());
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_falls_back_to_default_verifier() {
+        RustlsOptions::new().build(Some(&defaults()), &shared_with(None)).unwrap();
+    }
+
+    #[test]
+    fn build_without_crypto_provider_returns_error() {
+        let err = RustlsOptions::new().build(None, &shared_with(None)).unwrap_err();
+        let msg = format!("{err}");
+        assert!(msg.contains("crypto provider"), "unexpected error: {msg}");
+    }
+
+    #[test]
+    fn build_without_verifier_returns_error() {
+        // Crypto provider supplied via builder, but no verifier source.
+        let rustls_backend = RustlsOptions {
+            crypto_provider: Some(provider()),
+            verifier_factory: None,
+            client_identity_resolver: None,
+        };
+        let err = rustls_backend.build(None, &shared_with(None)).unwrap_err();
+        let msg = format!("{err}");
+        assert!(msg.contains("server certificate verifier"), "unexpected error: {msg}");
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_uses_builder_crypto_provider_without_defaults() {
+        let rustls_backend = RustlsOptions {
+            crypto_provider: Some(provider()),
+            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            client_identity_resolver: None,
+        };
+        rustls_backend.build(None, &shared_with(None)).unwrap();
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn tls_options_from_client_config_wraps_as_preconfigured() {
+        let config = rustls::ClientConfig::builder_with_provider(provider())
+            .with_safe_default_protocol_versions()
+            .unwrap()
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(AcceptAll))
+            .with_no_client_auth();
+        let tls = TlsOptions::from(config);
+        assert!(matches!(tls.inner, TlsOptionsKind::PreConfigured(_)));
+    }
+
+    #[test]
+    fn debug_renders_without_panic() {
+        let rustls = RustlsOptions {
+            crypto_provider: Some(provider()),
+            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            client_identity_resolver: Some(Arc::new(StubResolver)),
+        };
+        let s = format!("{rustls:?}");
+        assert!(s.contains("RustlsOptions"));
+        assert!(s.contains("<custom CryptoProvider>"));
+        assert!(s.contains("<custom verifier factory>"));
+        assert!(s.contains("<custom resolver>"));
+    }
+
+    #[test]
+    fn client_identity_resolver_stores_resolver() {
+        let builder = TlsOptions::builder_rustls().client_identity_resolver(Arc::new(StubResolver));
+        assert!(builder.backend.client_identity_resolver.is_some());
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_uses_resolver_for_client_auth() {
+        let rustls_backend = RustlsOptions {
+            crypto_provider: None,
+            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            client_identity_resolver: Some(Arc::new(StubResolver)),
+        };
+        rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_resolver_takes_precedence_over_identity() {
+        // Identity bytes are intentionally invalid; if precedence is wrong,
+        // build would error trying to parse them. The resolver path skips
+        // identity parsing entirely.
+        let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
+        let rustls_backend = RustlsOptions {
+            crypto_provider: None,
+            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            client_identity_resolver: Some(Arc::new(StubResolver)),
+        };
+        rustls_backend.build(Some(&defaults()), &shared_with(Some(identity))).unwrap();
+    }
+}
diff --git a/crates/fetch_tls/src/testing.rs b/crates/fetch_tls/src/testing.rs
new file mode 100644
index 000000000..629aed7dd
--- /dev/null
+++ b/crates/fetch_tls/src/testing.rs
@@ -0,0 +1,80 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! Test helpers for downstream crates and `fetch_tls`'s own tests.
+//!
+//! Available when the `test-util` Cargo feature is enabled, or when the
+//! crate is compiled with `cfg(test)`. These helpers are **not** intended
+//! for use in production code paths — they accept any certificate and
+//! never present a client certificate.
+
+use std::sync::Arc;
+
+use rustls::client::ResolvesClientCert;
+use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
+use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
+use rustls::sign::CertifiedKey;
+use rustls::{DigitallySignedStruct, SignatureScheme};
+
+/// [`ServerCertVerifier`] that accepts every server certificate.
+///
+/// Intended for tests that exercise TLS configuration plumbing without
+/// caring about certificate validity. Never use in production.
+#[derive(Debug, Default)]
+pub struct AcceptAllServerCertVerifier;
+
+impl ServerCertVerifier for AcceptAllServerCertVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> Result<ServerCertVerified, rustls::Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        vec![
+            SignatureScheme::RSA_PKCS1_SHA256,
+            SignatureScheme::ECDSA_NISTP256_SHA256,
+            SignatureScheme::ED25519,
+        ]
+    }
+}
+
+/// [`ResolvesClientCert`] that never produces a client certificate.
+///
+/// Useful for verifying plumbing of a `ResolvesClientCert` through
+/// [`crate::RustlsOptions`] without requiring a real key.
+#[derive(Debug, Default)]
+pub struct NoClientCertResolver;
+
+impl ResolvesClientCert for NoClientCertResolver {
+    fn resolve(&self, _root_hint_subjects: &[&[u8]], _sigschemes: &[SignatureScheme]) -> Option<Arc<CertifiedKey>> {
+        None
+    }
+
+    fn has_certs(&self) -> bool {
+        false
+    }
+}

From 174639587d2ed9e5934476bfe35fd7b27e04501a Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sat, 23 May 2026 17:18:33 +0200
Subject: [PATCH 02/30] fixes

---
 Cargo.lock                  | 121 ++++++++++++++++++++++++++++++++----
 crates/fetch_tls/Cargo.toml |   6 +-
 2 files changed, 113 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f54f1c578..005f07e6a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -270,12 +270,24 @@ dependencies = [
  "fs_extra",
 ]
 
+[[package]]
+name = "base16ct"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd307490d624467aa6f74b0eabb77633d1f758a7b25f12bceb0b22e08d9726f6"
+
 [[package]]
 name = "base64"
 version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
+[[package]]
+name = "base64ct"
+version = "1.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
+
 [[package]]
 name = "bincode"
 version = "1.3.3"
@@ -889,6 +901,26 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "092966b41edc516079bdf31ec78a2e0588d1d0c08f78b91d8307215928642b2b"
 
+[[package]]
+name = "der"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
+dependencies = [
+ "const-oid 0.9.6",
+ "zeroize",
+]
+
+[[package]]
+name = "der"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "71fd89660b2dc699704064e59e9dba0147b903e85319429e131620d022be411b"
+dependencies = [
+ "const-oid 0.10.2",
+ "zeroize",
+]
+
 [[package]]
 name = "deranged"
 version = "0.5.8"
@@ -1084,6 +1116,20 @@ dependencies = [
  "wiremock",
 ]
 
+[[package]]
+name = "fetch_tls"
+version = "0.1.0"
+dependencies = [
+ "base64",
+ "http",
+ "mutants",
+ "native-tls",
+ "ohno 0.3.2",
+ "rustls",
+ "rustls-pki-types",
+ "rustls-symcrypt",
+]
+
 [[package]]
 name = "find-msvc-tools"
 version = "0.1.9"
@@ -2442,6 +2488,27 @@ dependencies = [
  "futures-io",
 ]
 
+[[package]]
+name = "pkcs1"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
+dependencies = [
+ "der 0.7.10",
+ "pkcs8",
+ "spki",
+]
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der 0.7.10",
+ "spki",
+]
+
 [[package]]
 name = "pkg-config"
 version = "0.3.33"
@@ -2829,6 +2896,21 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-symcrypt"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51a60ef37ac1952a7805f074aa129b63a29332f2292cb9e33af396eb22dc44bf"
+dependencies = [
+ "der 0.8.0",
+ "pkcs1",
+ "pkcs8",
+ "rustls",
+ "rustls-pki-types",
+ "sec1",
+ "symcrypt",
+]
+
 [[package]]
 name = "rustls-webpki"
 version = "0.103.13"
@@ -2910,18 +2992,15 @@ dependencies = [
 ]
 
 [[package]]
-name = "seatbelt_http"
-version = "0.2.1"
+name = "sec1"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d56d437c2f19203ce5f7122e507831de96f3d2d4d3be5af44a0b0a09d8a80e4d"
 dependencies = [
- "futures",
- "http",
- "http_extensions",
- "layered",
- "mutants",
- "ohno 0.3.2",
- "seatbelt",
- "templated_uri",
- "tick",
+ "base16ct",
+ "der 0.8.0",
+ "hybrid-array",
+ "zeroize",
 ]
 
 [[package]]
@@ -3125,6 +3204,26 @@ version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
+[[package]]
+name = "symcrypt"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45f6e93e13900bae533f1f347c82d2fcf9d7ad7fffd7e58bc9fbd1b68575ca1c"
+dependencies = [
+ "lazy_static",
+ "libc",
+ "symcrypt-sys",
+]
+
+[[package]]
+name = "symcrypt-sys"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0878df9feb068709a68ccdb5cc3201649201e79e823566863f6ca4db4b9201aa"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "syn"
 version = "2.0.117"
diff --git a/crates/fetch_tls/Cargo.toml b/crates/fetch_tls/Cargo.toml
index a244fc0a9..573670612 100644
--- a/crates/fetch_tls/Cargo.toml
+++ b/crates/fetch_tls/Cargo.toml
@@ -29,8 +29,9 @@ native-tls = ["dep:native-tls"]
 ohno = { workspace = true }
 
 # external
-http = { workspace = true }
 base64 = { workspace = true }
+http = { workspace = true }
+native-tls = { workspace = true, optional = true, features = ["alpn"] }
 # Disabling aws-lc by default; rustls-symcrypt is the intended crypto provider.
 rustls = { workspace = true, features = [
     "tls12",
@@ -38,15 +39,14 @@ rustls = { workspace = true, features = [
 ], default-features = false, optional = true }
 rustls-pki-types = { workspace = true, features = ["alloc", "std"] }
 rustls-symcrypt = { workspace = true, optional = true }
-native-tls = { workspace = true, optional = true, features = ["alpn"] }
 
 [dev-dependencies]
 mutants = { workspace = true }
+native-tls = { workspace = true, features = ["alpn"] }
 # Test code unconditionally references both backends; pull them in as
 # dev-dependencies so `cargo test` works with no features enabled.
 rustls = { workspace = true, features = ["tls12", "std"], default-features = false }
 rustls-symcrypt = { workspace = true }
-native-tls = { workspace = true, features = ["alpn"] }
 
 [lints]
 workspace = true

From 04aea9465179bc6be1e383dd7d337f5f53d149bd Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 10:10:34 +0200
Subject: [PATCH 03/30] cleanup and improvements

---
 Cargo.lock                      | 138 ----------------------
 crates/fetch_tls/Cargo.toml     |   9 +-
 crates/fetch_tls/README.md      |  10 +-
 crates/fetch_tls/src/backend.rs |  79 +++++++++++--
 crates/fetch_tls/src/lib.rs     |   6 +-
 crates/fetch_tls/src/options.rs | 203 +++++++++++++++++++-------------
 crates/fetch_tls/src/rustls.rs  |  16 +--
 7 files changed, 211 insertions(+), 250 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 005f07e6a..72f11ccbd 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -270,24 +270,12 @@ dependencies = [
  "fs_extra",
 ]
 
-[[package]]
-name = "base16ct"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd307490d624467aa6f74b0eabb77633d1f758a7b25f12bceb0b22e08d9726f6"
-
 [[package]]
 name = "base64"
 version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
-[[package]]
-name = "base64ct"
-version = "1.8.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
-
 [[package]]
 name = "bincode"
 version = "1.3.3"
@@ -688,18 +676,6 @@ dependencies = [
  "crossbeam-utils",
 ]
 
-[[package]]
-name = "const-oid"
-version = "0.9.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
-
-[[package]]
-name = "const-oid"
-version = "0.10.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6ef517f0926dd24a1582492c791b6a4818a4d94e789a334894aa15b0d12f55c"
-
 [[package]]
 name = "convert_case"
 version = "0.10.0"
@@ -901,26 +877,6 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "092966b41edc516079bdf31ec78a2e0588d1d0c08f78b91d8307215928642b2b"
 
-[[package]]
-name = "der"
-version = "0.7.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
-dependencies = [
- "const-oid 0.9.6",
- "zeroize",
-]
-
-[[package]]
-name = "der"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "71fd89660b2dc699704064e59e9dba0147b903e85319429e131620d022be411b"
-dependencies = [
- "const-oid 0.10.2",
- "zeroize",
-]
-
 [[package]]
 name = "deranged"
 version = "0.5.8"
@@ -1127,7 +1083,6 @@ dependencies = [
  "ohno 0.3.2",
  "rustls",
  "rustls-pki-types",
- "rustls-symcrypt",
 ]
 
 [[package]]
@@ -1583,15 +1538,6 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
-[[package]]
-name = "hybrid-array"
-version = "0.4.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9155a582abd142abc056962c29e3ce5ff2ad5469f4246b537ed42c5deba857da"
-dependencies = [
- "typenum",
-]
-
 [[package]]
 name = "hyper"
 version = "1.9.0"
@@ -2488,27 +2434,6 @@ dependencies = [
  "futures-io",
 ]
 
-[[package]]
-name = "pkcs1"
-version = "0.7.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
-dependencies = [
- "der 0.7.10",
- "pkcs8",
- "spki",
-]
-
-[[package]]
-name = "pkcs8"
-version = "0.10.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
-dependencies = [
- "der 0.7.10",
- "spki",
-]
-
 [[package]]
 name = "pkg-config"
 version = "0.3.33"
@@ -2896,21 +2821,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "rustls-symcrypt"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51a60ef37ac1952a7805f074aa129b63a29332f2292cb9e33af396eb22dc44bf"
-dependencies = [
- "der 0.8.0",
- "pkcs1",
- "pkcs8",
- "rustls",
- "rustls-pki-types",
- "sec1",
- "symcrypt",
-]
-
 [[package]]
 name = "rustls-webpki"
 version = "0.103.13"
@@ -2991,18 +2901,6 @@ dependencies = [
  "tracing-subscriber",
 ]
 
-[[package]]
-name = "sec1"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d56d437c2f19203ce5f7122e507831de96f3d2d4d3be5af44a0b0a09d8a80e4d"
-dependencies = [
- "base16ct",
- "der 0.8.0",
- "hybrid-array",
- "zeroize",
-]
-
 [[package]]
 name = "security-framework"
 version = "3.7.0"
@@ -3176,16 +3074,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "spki"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
-dependencies = [
- "base64ct",
- "der 0.7.10",
-]
-
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.1"
@@ -3204,26 +3092,6 @@ version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
-[[package]]
-name = "symcrypt"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45f6e93e13900bae533f1f347c82d2fcf9d7ad7fffd7e58bc9fbd1b68575ca1c"
-dependencies = [
- "lazy_static",
- "libc",
- "symcrypt-sys",
-]
-
-[[package]]
-name = "symcrypt-sys"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0878df9feb068709a68ccdb5cc3201649201e79e823566863f6ca4db4b9201aa"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "syn"
 version = "2.0.117"
@@ -3734,12 +3602,6 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bc7d623258602320d5c55d1bc22793b57daff0ec7efc270ea7d55ce1d5f5471c"
 
-[[package]]
-name = "typenum"
-version = "1.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
-
 [[package]]
 name = "unicode-ident"
 version = "1.0.24"
diff --git a/crates/fetch_tls/Cargo.toml b/crates/fetch_tls/Cargo.toml
index 573670612..5fb321b39 100644
--- a/crates/fetch_tls/Cargo.toml
+++ b/crates/fetch_tls/Cargo.toml
@@ -21,7 +21,7 @@ all-features = true
 
 [features]
 default = []
-rustls = ["dep:rustls-symcrypt", "dep:rustls"]
+rustls = ["dep:rustls"]
 native-tls = ["dep:native-tls"]
 
 [dependencies]
@@ -32,21 +32,20 @@ ohno = { workspace = true }
 base64 = { workspace = true }
 http = { workspace = true }
 native-tls = { workspace = true, optional = true, features = ["alpn"] }
-# Disabling aws-lc by default; rustls-symcrypt is the intended crypto provider.
+# No crypto provider feature is enabled here; callers supply one via
+# `TlsBackendDefaults::configure_rustls`. See the crate docs for details.
 rustls = { workspace = true, features = [
     "tls12",
     "std",
 ], default-features = false, optional = true }
 rustls-pki-types = { workspace = true, features = ["alloc", "std"] }
-rustls-symcrypt = { workspace = true, optional = true }
 
 [dev-dependencies]
 mutants = { workspace = true }
 native-tls = { workspace = true, features = ["alpn"] }
 # Test code unconditionally references both backends; pull them in as
 # dev-dependencies so `cargo test` works with no features enabled.
-rustls = { workspace = true, features = ["tls12", "std"], default-features = false }
-rustls-symcrypt = { workspace = true }
+rustls = { workspace = true, features = ["tls12", "std", "aws-lc-rs"], default-features = false }
 
 [lints]
 workspace = true
diff --git a/crates/fetch_tls/README.md b/crates/fetch_tls/README.md
index 5c3aecc05..fb9041131 100644
--- a/crates/fetch_tls/README.md
+++ b/crates/fetch_tls/README.md
@@ -23,8 +23,10 @@ Materialize a [`TlsBackend`][__link5] with [`TlsOptions::build_backend`][__link6
 
 ## Features
 
-* **`rustls`** — pure-Rust [`rustls`][__link7] paired with
-  [`rustls-symcrypt`][__link8] as the crypto provider.
+* **`rustls`** — pure-Rust [`rustls`][__link7]. `fetch_tls` does not
+  bundle a crypto provider; the caller supplies one (along with a
+  server-certificate verifier) via
+  [`TlsBackendDefaults::configure_rustls`][__link8].
 * **`native-tls`** — platform native TLS (`SChannel` on Windows,
   Security Framework on macOS, `OpenSSL` on Linux).
 
@@ -37,7 +39,7 @@ With neither feature enabled, [`TlsOptions::default`][__link9] still constructs
 This crate was developed as part of <a href="../..">The Oxidizer Project</a>. Browse this crate's <a href="https://github.com/microsoft/oxidizer/tree/main/crates/fetch_tls">source code</a>.
 </sub>
 
- [__cargo_doc2readme_dependencies_info]: ggGkYW0CYXSEGy4k8ldDFPOhG2VNeXtD5nnKG6EPY6OfW5wBG8g18NOFNdxpYXKEGz0-gwD02BMqGx-aWk5R-ciAG5SPoepFPbthG4u5TGxqSEiPYWSEgmlmZXRjaF90bHNlMC4xLjCCam5hdGl2ZV90bHNmMC4yLjE4gmZydXN0bHNnMC4yMy40MIJvcnVzdGxzX3N5bWNyeXB0ZTAuMi4z
+ [__cargo_doc2readme_dependencies_info]: ggGkYW0CYXSEGy4k8ldDFPOhG2VNeXtD5nnKG6EPY6OfW5wBG8g18NOFNdxpYXKEG5v6WTZghmSAG4j_vIHk7ZKvG5ohFGVWsHijGw5WtRenFKqdYWSDgmlmZXRjaF90bHNlMC4xLjCCam5hdGl2ZV90bHNmMC4yLjE4gmZydXN0bHNnMC4yMy40MA
  [__link0]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
  [__link1]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_rustls
  [__link10]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
@@ -48,5 +50,5 @@ This crate was developed as part of <a href="../..">The Oxidizer Project</a>. Br
  [__link5]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackend
  [__link6]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
  [__link7]: https://crates.io/crates/rustls/0.23.40
- [__link8]: https://crates.io/crates/rustls_symcrypt/0.2.3
+ [__link8]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackendDefaults::configure_rustls
  [__link9]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::default
diff --git a/crates/fetch_tls/src/backend.rs b/crates/fetch_tls/src/backend.rs
index 62fc0ec51..35165c29a 100644
--- a/crates/fetch_tls/src/backend.rs
+++ b/crates/fetch_tls/src/backend.rs
@@ -38,17 +38,28 @@ pub enum TlsBackend {
 /// Environment-supplied defaults for materializing a [`TlsBackend`].
 ///
 /// Lets HTTP client crates own platform / policy choices (such as which
-/// crypto provider or root store to use) without baking them into
-/// `fetch_tls`. Each backend that needs environment state has its own
-/// constructor; native-tls and pre-configured backends ignore defaults.
+/// crypto provider, root store, or default backend to use) without baking
+/// them into `fetch_tls`. Each backend that needs environment state has its
+/// own setter; native-tls and pre-configured backends do not consult
+/// these defaults.
+///
+/// In addition to backend-specific defaults, `TlsBackendDefaults` carries
+/// the *default backend selection* used by [`TlsOptions::default`] (and
+/// any other [`TlsOptions`](super::TlsOptions) that did not pin a backend).
+/// Use [`TlsBackendDefaults::defaults_to_rustls`] or
+/// [`TlsBackendDefaults::defaults_to_native_tls`] to set it explicitly;
+/// [`TlsBackendDefaults::configure_rustls`] implicitly sets it to rustls if
+/// not already chosen.
 ///
 /// Use [`TlsBackendDefaults::new`] when no backend-specific state is
 /// required. Building a rustls backend without
-/// [`TlsBackendDefaults::rustls`] returns a [`BackendError`].
+/// [`TlsBackendDefaults::configure_rustls`] returns a [`BackendError`].
 #[derive(Clone, Default)]
 pub struct TlsBackendDefaults {
     #[cfg(any(feature = "rustls", test))]
     pub(crate) rustls: Option<RustlsDefaults>,
+
+    pub(crate) default: DefaultBackend,
 }
 
 /// Environment-supplied defaults specific to the rustls backend.
@@ -69,20 +80,54 @@ impl TlsBackendDefaults {
         Self::default()
     }
 
-    /// Supplies the rustls crypto provider and a fallback server certificate verifier.
+    /// Configures the rustls crypto provider and a fallback server certificate verifier.
     ///
     /// The verifier is used only when the caller did not configure one via
     /// [`TlsOptionsBuilder::server_certificate_verifier`](super::TlsOptionsBuilder::server_certificate_verifier).
+    ///
+    /// If no default backend has been selected yet (i.e. neither
+    /// [`defaults_to_rustls`](Self::defaults_to_rustls) nor
+    /// [`defaults_to_native_tls`](Self::defaults_to_native_tls) was called),
+    /// this also promotes rustls to be the default backend. To override that
+    /// promotion, call [`defaults_to_native_tls`](Self::defaults_to_native_tls)
+    /// afterwards.
     #[cfg(any(feature = "rustls", test))]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls")))]
     #[must_use]
-    pub fn rustls(
+    pub fn configure_rustls(
+        mut self,
         crypto_provider: std::sync::Arc<::rustls::crypto::CryptoProvider>,
         verifier: std::sync::Arc<dyn ::rustls::client::danger::ServerCertVerifier>,
     ) -> Self {
-        Self {
-            rustls: Some(RustlsDefaults { crypto_provider, verifier }),
+        self.rustls = Some(RustlsDefaults { crypto_provider, verifier });
+
+        if matches!(self.default, DefaultBackend::Unselected) {
+            self.default = DefaultBackend::Rustls;
         }
+
+        self
+    }
+
+    /// Sets the default backend used by [`TlsOptions::default`](super::TlsOptions::default)
+    /// to `native-tls`.
+    #[cfg(any(feature = "native-tls", test))]
+    #[must_use]
+    pub fn defaults_to_native_tls(mut self) -> Self {
+        self.default = DefaultBackend::NativeTls;
+        self
+    }
+
+    /// Sets the default backend used by [`TlsOptions::default`](super::TlsOptions::default)
+    /// to `rustls`.
+    ///
+    /// rustls requires defaults to be configured separately via
+    /// [`configure_rustls`](Self::configure_rustls); selecting rustls without
+    /// configuring it makes [`TlsOptions::build_backend`](super::TlsOptions::build_backend)
+    /// fail with a [`BackendError`].
+    #[cfg(any(feature = "rustls", test))]
+    #[must_use]
+    pub fn defaults_to_rustls(mut self) -> Self {
+        self.default = DefaultBackend::Rustls;
+        self
     }
 }
 
@@ -96,6 +141,7 @@ impl std::fmt::Debug for TlsBackendDefaults {
                 &self.rustls.as_ref().map(|_| "<rustls CryptoProvider + ServerCertVerifier>"),
             );
         }
+        s.field("default", &self.default);
         s.finish()
     }
 }
@@ -120,3 +166,18 @@ impl From<::native_tls::TlsConnector> for TlsBackend {
         Self::NativeTls(connector)
     }
 }
+
+/// Default TLS backend selected by [`TlsOptions::default`](super::TlsOptions::default).
+#[derive(Debug, Clone, Default)]
+pub(crate) enum DefaultBackend {
+    /// No default backend chosen. Building [`TlsOptions::default`](super::TlsOptions::default)
+    /// against such defaults returns a [`BackendError`].
+    #[default]
+    Unselected,
+
+    #[cfg(any(feature = "rustls", test))]
+    Rustls,
+
+    #[cfg(any(feature = "native-tls", test))]
+    NativeTls,
+}
diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index 6e5f9a3d4..b136736dc 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -16,8 +16,10 @@
 //!
 //! # Features
 //!
-//! - **`rustls`** — pure-Rust [`rustls`](::rustls) paired with
-//!   [`rustls-symcrypt`](::rustls_symcrypt) as the crypto provider.
+//! - **`rustls`** — pure-Rust [`rustls`](::rustls). `fetch_tls` does not
+//!   bundle a crypto provider; the caller supplies one (along with a
+//!   server-certificate verifier) via
+//!   [`TlsBackendDefaults::configure_rustls`].
 //! - **`native-tls`** — platform native TLS (`SChannel` on Windows,
 //!   Security Framework on macOS, `OpenSSL` on Linux).
 //!
diff --git a/crates/fetch_tls/src/options.rs b/crates/fetch_tls/src/options.rs
index e123779ab..207ef5598 100644
--- a/crates/fetch_tls/src/options.rs
+++ b/crates/fetch_tls/src/options.rs
@@ -5,7 +5,7 @@
 
 use http::Version;
 
-use crate::backend::BackendError;
+use crate::backend::{BackendError, DefaultBackend};
 use crate::client_identity::ClientIdentity;
 use crate::{TlsBackend, TlsBackendDefaults};
 
@@ -18,11 +18,9 @@ use crate::{TlsBackend, TlsBackendDefaults};
     reason = "configuration object; variants are consumed by downstream HTTP client crates that materialize TLS backends from TlsOptions"
 )]
 pub(crate) enum TlsOptionsKind {
-    /// No backend selected. Produced by [`TlsOptions::empty`] (and by
-    /// [`TlsOptions::default`] when neither the `rustls` nor `native-tls`
-    /// feature is enabled). Calling [`TlsOptions::build_backend`] on such
-    /// options returns a [`BackendError`].
-    Empty,
+    /// Backend is selected automatically based on how the default backend
+    /// is configured via [`TlsBackendDefaults`]; see its documentation for details.
+    Auto,
 
     /// Pre-configured TLS backend, used as-is without any modifications.
     PreConfigured(TlsBackend),
@@ -47,8 +45,8 @@ pub(crate) enum TlsOptionsKind {
 /// # Examples
 ///
 /// Minimal rustls-backed [`TlsOptions`] using default settings; supply a
-/// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls) when
-/// calling [`TlsOptions::build_backend`] to materialize a backend:
+/// [`TlsBackendDefaults::configure_rustls`](crate::TlsBackendDefaults::configure_rustls)
+/// when calling [`TlsOptions::build_backend`] to materialize a backend:
 ///
 /// ```rust,no_run
 /// # #[cfg(feature = "rustls")] {
@@ -103,22 +101,15 @@ impl TlsOptions {
         &self.shared.supported_http_versions
     }
 
-    /// Creates an empty [`TlsOptions`] with no backend selected.
-    ///
-    /// [`TlsOptions::build_backend`] returns a [`BackendError`]. Used by
-    /// [`TlsOptions::default`] when neither TLS feature is enabled.
-    #[cfg(any(test, not(any(feature = "rustls", feature = "native-tls"))))]
-    fn empty() -> Self {
-        Self {
-            inner: TlsOptionsKind::Empty,
-            shared: SharedOptions::default(),
-        }
-    }
-
     /// Materializes these options into a [`TlsBackend`] using `defaults`.
     ///
-    /// - rustls — requires [`TlsBackendDefaults::rustls`]; values configured
-    ///   on the builder take precedence over those in `defaults`.
+    /// - auto — selected by [`TlsOptions::default`]; the backend is chosen
+    ///   from [`TlsBackendDefaults`]'s configured default (set via
+    ///   [`TlsBackendDefaults::defaults_to_rustls`] /
+    ///   [`TlsBackendDefaults::defaults_to_native_tls`], or implicitly by
+    ///   [`TlsBackendDefaults::configure_rustls`]).
+    /// - rustls — requires [`TlsBackendDefaults::configure_rustls`]; values
+    ///   configured on the builder take precedence over those in `defaults`.
     /// - native-tls — `defaults` is ignored.
     /// - pre-configured — the wrapped backend is returned unchanged.
     ///
@@ -128,11 +119,8 @@ impl TlsOptions {
     /// rustls defaults are missing, or if backend construction fails (for
     /// example, invalid client identity material).
     pub fn build_backend(self, defaults: &TlsBackendDefaults) -> Result<TlsBackend, BackendError> {
-        let _ = defaults;
         match self.inner {
-            TlsOptionsKind::Empty => Err(BackendError::caused_by(
-                "no TLS backend is configured; enable the `rustls` or `native-tls` feature, or construct TlsOptions via one of its builders",
-            )),
+            TlsOptionsKind::Auto => self.build_auto_backend(defaults),
             TlsOptionsKind::PreConfigured(backend) => Ok(backend),
             #[cfg(any(feature = "rustls", test))]
             TlsOptionsKind::Rustls(rustls_backend) => {
@@ -146,23 +134,40 @@ impl TlsOptions {
             }
         }
     }
+
+    #[allow(
+        clippy::allow_attributes,
+        clippy::unused_self,
+        reason = "self.shared is used by feature-gated arms; with neither rustls nor native-tls enabled only Unselected is reachable"
+    )]
+    fn build_auto_backend(self, defaults: &TlsBackendDefaults) -> Result<TlsBackend, BackendError> {
+        match defaults.default {
+            #[cfg(any(feature = "rustls", test))]
+            DefaultBackend::Rustls => {
+                let config = super::rustls::RustlsOptions::new().build(defaults.rustls.as_ref(), &self.shared)?;
+                Ok(TlsBackend::Rustls(std::sync::Arc::new(config)))
+            }
+            #[cfg(any(feature = "native-tls", test))]
+            DefaultBackend::NativeTls => {
+                let connector = super::native_tls::NativeTlsOptions::new().build(&self.shared)?;
+                Ok(TlsBackend::NativeTls(connector))
+            }
+            DefaultBackend::Unselected => Err(BackendError::caused_by(
+                "no default TLS backend is configured on TlsBackendDefaults; call defaults_to_rustls() / defaults_to_native_tls() (or configure_rustls(), which implies rustls), or construct TlsOptions via one of its builders",
+            )),
+        }
+    }
 }
 
-/// Picks a default TLS backend from enabled features:
-/// `rustls` if available, else `native-tls`, else [`TlsOptions::empty`].
+/// Constructs [`TlsOptions`] whose backend is chosen at
+/// [`TlsOptions::build_backend`] time from the supplied
+/// [`TlsBackendDefaults`]. See [`TlsBackendDefaults`] for how to select the
+/// default backend.
 impl Default for TlsOptions {
     fn default() -> Self {
-        #[cfg(feature = "rustls")]
-        {
-            Self::builder_rustls().build()
-        }
-        #[cfg(all(feature = "native-tls", not(feature = "rustls")))]
-        {
-            Self::builder_native_tls().build()
-        }
-        #[cfg(not(any(feature = "native-tls", feature = "rustls")))]
-        {
-            Self::empty()
+        Self {
+            inner: TlsOptionsKind::Auto,
+            shared: SharedOptions::default(),
         }
     }
 }
@@ -208,7 +213,12 @@ impl<B> TlsOptionsBuilder<B> {
 #[cfg(test)]
 #[cfg_attr(coverage_nightly, coverage(off))]
 mod tests {
+    use std::sync::Arc;
+
+    use rustls::crypto::aws_lc_rs;
+
     use super::*;
+    use crate::testing::AcceptAllServerCertVerifier as AcceptAll;
 
     #[test]
     fn default_supported_http_versions_is_http1_and_http2() {
@@ -217,43 +227,21 @@ mod tests {
     }
 
     #[test]
-    fn empty_constructs_empty_variant() {
-        let tls = TlsOptions::empty();
-        assert!(matches!(tls.inner, TlsOptionsKind::Empty));
+    fn default_constructs_auto_variant() {
+        let tls = TlsOptions::default();
+        assert!(matches!(tls.inner, TlsOptionsKind::Auto));
     }
 
     #[test]
     #[cfg_attr(miri, ignore)]
-    fn empty_build_backend_returns_error() {
+    fn auto_without_default_backend_returns_error() {
         let defaults = TlsBackendDefaults::new();
 
-        let err = TlsOptions::empty().build_backend(&defaults).unwrap_err();
+        let err = TlsOptions::default().build_backend(&defaults).unwrap_err();
         let msg = format!("{err}");
-        assert!(msg.contains("no TLS backend"), "unexpected error: {msg}");
-    }
-
-    #[cfg(feature = "rustls")]
-    #[test]
-    fn default_selects_rustls_when_feature_enabled() {
-        let tls = TlsOptions::default();
-        assert!(matches!(tls.inner, TlsOptionsKind::Rustls(_)));
-    }
-
-    #[cfg(all(feature = "native-tls", not(feature = "rustls")))]
-    #[test]
-    fn default_selects_native_tls_when_only_native_tls_enabled() {
-        let tls = TlsOptions::default();
-        assert!(matches!(tls.inner, TlsOptionsKind::NativeTls(_)));
+        assert!(msg.contains("no default TLS backend"), "unexpected error: {msg}");
     }
 
-    #[cfg(not(any(feature = "rustls", feature = "native-tls")))]
-    #[test]
-    fn default_is_empty_when_no_features_enabled() {
-        let tls = TlsOptions::default();
-        assert!(matches!(tls.inner, TlsOptionsKind::Empty));
-    }
-
-    #[cfg(feature = "rustls")]
     #[test]
     fn supported_http_versions_round_trips() {
         let tls = TlsOptions::builder_rustls()
@@ -262,22 +250,18 @@ mod tests {
         assert_eq!(tls.supported_http_versions(), &[Version::HTTP_11, Version::HTTP_2]);
     }
 
-    #[cfg(feature = "rustls")]
-    mod build_backend_rustls {
-        use std::sync::Arc;
+    fn rustls_defaults() -> TlsBackendDefaults {
+        TlsBackendDefaults::new().configure_rustls(Arc::new(aws_lc_rs::default_provider()), Arc::new(AcceptAll))
+    }
 
+    mod build_backend_rustls {
         use super::*;
-        use crate::testing::AcceptAllServerCertVerifier as AcceptAll;
-
-        fn defaults() -> TlsBackendDefaults {
-            TlsBackendDefaults::rustls(Arc::new(rustls_symcrypt::default_symcrypt_provider()), Arc::new(AcceptAll))
-        }
 
         #[test]
         #[cfg_attr(miri, ignore)]
         fn rustls_falls_back_to_default_verifier() {
             let tls = TlsOptions::builder_rustls().build();
-            let backend = tls.build_backend(&defaults()).unwrap();
+            let backend = tls.build_backend(&rustls_defaults()).unwrap();
             assert!(matches!(backend, TlsBackend::Rustls(_)));
         }
 
@@ -287,7 +271,7 @@ mod tests {
             let tls = TlsOptions::builder_rustls()
                 .server_certificate_verifier(|_| Arc::new(AcceptAll))
                 .build();
-            let backend = tls.build_backend(&defaults()).unwrap();
+            let backend = tls.build_backend(&rustls_defaults()).unwrap();
             assert!(matches!(backend, TlsBackend::Rustls(_)));
         }
 
@@ -303,31 +287,80 @@ mod tests {
         #[test]
         #[cfg_attr(miri, ignore)]
         fn preconfigured_passes_backend_through_unchanged() {
-            let config = rustls::ClientConfig::builder_with_provider(Arc::new(rustls_symcrypt::default_symcrypt_provider()))
+            let config = rustls::ClientConfig::builder_with_provider(Arc::new(aws_lc_rs::default_provider()))
                 .with_safe_default_protocol_versions()
                 .unwrap()
                 .dangerous()
                 .with_custom_certificate_verifier(Arc::new(AcceptAll))
                 .with_no_client_auth();
             let tls = TlsOptions::from(config);
-            let backend = tls.build_backend(&defaults()).unwrap();
+            let backend = tls.build_backend(&rustls_defaults()).unwrap();
             assert!(matches!(backend, TlsBackend::Rustls(_)));
         }
     }
 
-    #[cfg(feature = "native-tls")]
     mod build_backend_native_tls {
         use super::*;
 
-        fn defaults() -> TlsBackendDefaults {
-            TlsBackendDefaults::new()
-        }
-
         #[test]
         #[cfg_attr(miri, ignore)]
         fn native_tls_ignores_rustls_defaults() {
             let tls = TlsOptions::builder_native_tls().build();
-            let backend = tls.build_backend(&defaults()).unwrap();
+            let backend = tls.build_backend(&TlsBackendDefaults::new()).unwrap();
+            assert!(matches!(backend, TlsBackend::NativeTls(_)));
+        }
+    }
+
+    mod build_backend_auto {
+        use super::*;
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn configure_rustls_auto_promotes_unselected_to_rustls() {
+            let backend = TlsOptions::default().build_backend(&rustls_defaults()).unwrap();
+            assert!(matches!(backend, TlsBackend::Rustls(_)));
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn defaults_to_rustls_selects_rustls() {
+            let defaults = rustls_defaults().defaults_to_rustls();
+            let backend = TlsOptions::default().build_backend(&defaults).unwrap();
+            assert!(matches!(backend, TlsBackend::Rustls(_)));
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn defaults_to_rustls_without_rustls_defaults_returns_crypto_provider_error() {
+            let defaults = TlsBackendDefaults::new().defaults_to_rustls();
+            let err = TlsOptions::default().build_backend(&defaults).unwrap_err();
+            let msg = format!("{err}");
+            assert!(msg.contains("crypto provider"), "unexpected error: {msg}");
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn defaults_to_native_tls_selects_native_tls() {
+            let defaults = TlsBackendDefaults::new().defaults_to_native_tls();
+            let backend = TlsOptions::default().build_backend(&defaults).unwrap();
+            assert!(matches!(backend, TlsBackend::NativeTls(_)));
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn defaults_to_native_tls_after_configure_rustls_overrides_promotion() {
+            let defaults = rustls_defaults().defaults_to_native_tls();
+            let backend = TlsOptions::default().build_backend(&defaults).unwrap();
+            assert!(matches!(backend, TlsBackend::NativeTls(_)));
+        }
+
+        #[test]
+        #[cfg_attr(miri, ignore)]
+        fn configure_rustls_after_defaults_to_native_tls_keeps_native_tls() {
+            let defaults = TlsBackendDefaults::new()
+                .defaults_to_native_tls()
+                .configure_rustls(Arc::new(aws_lc_rs::default_provider()), Arc::new(AcceptAll));
+            let backend = TlsOptions::default().build_backend(&defaults).unwrap();
             assert!(matches!(backend, TlsBackend::NativeTls(_)));
         }
     }
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index ef2d76555..7948694b8 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -68,14 +68,14 @@ impl RustlsOptions {
             .or_else(|| defaults.map(|d| Arc::clone(&d.crypto_provider)))
             .ok_or_else(|| {
                 BackendError::caused_by(
-                    "rustls crypto provider not supplied; set it via TlsOptionsBuilder::crypto_provider or TlsBackendDefaults::rustls(...)",
+                    "rustls crypto provider not supplied; set it via TlsOptionsBuilder::crypto_provider or TlsBackendDefaults::configure_rustls(...)",
                 )
             })?;
         let verifier = match self.verifier_factory {
             Some(factory) => factory(Arc::clone(&crypto_provider)),
             None => defaults.map(|d| Arc::clone(&d.verifier)).ok_or_else(|| {
                 BackendError::caused_by(
-                    "rustls server certificate verifier not supplied; set it via TlsOptionsBuilder::server_certificate_verifier or TlsBackendDefaults::rustls(...)",
+                    "rustls server certificate verifier not supplied; set it via TlsOptionsBuilder::server_certificate_verifier or TlsBackendDefaults::configure_rustls(...)",
                 )
             })?,
         };
@@ -131,7 +131,7 @@ impl TlsOptionsBuilder<RustlsOptions> {
     /// Sets the rustls [`CryptoProvider`](rustls::crypto::CryptoProvider).
     ///
     /// Overrides the provider supplied by
-    /// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls).
+    /// [`TlsBackendDefaults::configure_rustls`](crate::TlsBackendDefaults::configure_rustls).
     /// If neither source supplies one, [`TlsOptions::build_backend`] returns
     /// a [`BackendError`](crate::BackendError).
     pub fn crypto_provider(mut self, crypto_provider: Arc<rustls::crypto::CryptoProvider>) -> Self {
@@ -144,12 +144,12 @@ impl TlsOptionsBuilder<RustlsOptions> {
     ///
     /// The factory is invoked during [`TlsOptions::build_backend`] with the
     /// provider resolved from this builder or
-    /// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls).
+    /// [`TlsBackendDefaults::configure_rustls`](crate::TlsBackendDefaults::configure_rustls).
     /// Callers that don't need the provider can simply ignore the argument
     /// and return a pre-built verifier (for example, `|_| Arc::new(MyVerifier)`).
     ///
     /// Overrides the verifier supplied by
-    /// [`TlsBackendDefaults::rustls`](crate::TlsBackendDefaults::rustls).
+    /// [`TlsBackendDefaults::configure_rustls`](crate::TlsBackendDefaults::configure_rustls).
     /// If neither source supplies one, [`TlsOptions::build_backend`] returns
     /// a [`BackendError`](crate::BackendError).
     pub fn server_certificate_verifier<F>(mut self, factory: F) -> Self
@@ -182,13 +182,15 @@ impl TlsOptionsBuilder<RustlsOptions> {
 #[cfg(test)]
 #[cfg_attr(coverage_nightly, coverage(off))]
 mod tests {
+    use rustls::crypto::aws_lc_rs;
+
     use super::*;
     use crate::backend::RustlsDefaults;
     use crate::client_identity::ClientIdentity;
     use crate::testing::{AcceptAllServerCertVerifier as AcceptAll, NoClientCertResolver as StubResolver};
 
     fn provider() -> Arc<rustls::crypto::CryptoProvider> {
-        Arc::new(rustls_symcrypt::default_symcrypt_provider())
+        Arc::new(aws_lc_rs::default_provider())
     }
 
     fn defaults() -> RustlsDefaults {
@@ -265,7 +267,7 @@ mod tests {
     }
 
     #[test]
-    #[cfg_attr(miri, ignore)] // `rustls-symcrypt` FFI does not run under Miri
+    #[cfg_attr(miri, ignore)] // crypto provider FFI (aws-lc-rs) does not run under Miri
     fn build_produces_client_config_without_identity() {
         let _config = TlsOptions::builder_rustls()
             .server_certificate_verifier(|_| Arc::new(AcceptAll))

From 87eb85823e86449391e018e6b9b748d81f313014 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 10:15:03 +0200
Subject: [PATCH 04/30] cleanup grammar

---
 .spelling                               |  4 ----
 crates/fetch_tls/README.md              |  4 ++--
 crates/fetch_tls/src/backend.rs         |  2 +-
 crates/fetch_tls/src/client_identity.rs | 20 ++++++++++----------
 crates/fetch_tls/src/lib.rs             |  2 +-
 5 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/.spelling b/.spelling
index 5945ad724..a5b75af48 100644
--- a/.spelling
+++ b/.spelling
@@ -557,11 +557,7 @@ bumpable
 dereferenceable
 NonNull
 crypto
-DER
-macOS
-PEM
 rustls
 TLS
 verifier
 Verifier
-backend's
diff --git a/crates/fetch_tls/README.md b/crates/fetch_tls/README.md
index fb9041131..c8adfcad6 100644
--- a/crates/fetch_tls/README.md
+++ b/crates/fetch_tls/README.md
@@ -28,7 +28,7 @@ Materialize a [`TlsBackend`][__link5] with [`TlsOptions::build_backend`][__link6
   server-certificate verifier) via
   [`TlsBackendDefaults::configure_rustls`][__link8].
 * **`native-tls`** — platform native TLS (`SChannel` on Windows,
-  Security Framework on macOS, `OpenSSL` on Linux).
+  Security Framework on `macOS`, `OpenSSL` on Linux).
 
 With neither feature enabled, [`TlsOptions::default`][__link9] still constructs but
 [`TlsOptions::build_backend`][__link10] returns a [`BackendError`][__link11].
@@ -39,7 +39,7 @@ With neither feature enabled, [`TlsOptions::default`][__link9] still constructs
 This crate was developed as part of <a href="../..">The Oxidizer Project</a>. Browse this crate's <a href="https://github.com/microsoft/oxidizer/tree/main/crates/fetch_tls">source code</a>.
 </sub>
 
- [__cargo_doc2readme_dependencies_info]: ggGkYW0CYXSEGy4k8ldDFPOhG2VNeXtD5nnKG6EPY6OfW5wBG8g18NOFNdxpYXKEG5v6WTZghmSAG4j_vIHk7ZKvG5ohFGVWsHijGw5WtRenFKqdYWSDgmlmZXRjaF90bHNlMC4xLjCCam5hdGl2ZV90bHNmMC4yLjE4gmZydXN0bHNnMC4yMy40MA
+ [__cargo_doc2readme_dependencies_info]: ggGkYW0CYXSEGy4k8ldDFPOhG2VNeXtD5nnKG6EPY6OfW5wBG8g18NOFNdxpYXKEG2t4QyKGZLjOGzG3afJHTM1YG1p0yPzfBpVtG_wKLWa2KlkuYWSDgmlmZXRjaF90bHNlMC4xLjCCam5hdGl2ZV90bHNmMC4yLjE4gmZydXN0bHNnMC4yMy40MA
  [__link0]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
  [__link1]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_rustls
  [__link10]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
diff --git a/crates/fetch_tls/src/backend.rs b/crates/fetch_tls/src/backend.rs
index 35165c29a..672dba1c4 100644
--- a/crates/fetch_tls/src/backend.rs
+++ b/crates/fetch_tls/src/backend.rs
@@ -30,7 +30,7 @@ pub enum TlsBackend {
     Rustls(std::sync::Arc<::rustls::ClientConfig>),
 
     /// Platform native TLS backend (`SChannel` on Windows, Security Framework
-    /// on macOS, `OpenSSL` on Linux).
+    /// on `macOS`, `OpenSSL` on Linux).
     #[cfg(any(feature = "native-tls", test))]
     NativeTls(::native_tls::TlsConnector),
 }
diff --git a/crates/fetch_tls/src/client_identity.rs b/crates/fetch_tls/src/client_identity.rs
index 46a2e4ff1..69f124b35 100644
--- a/crates/fetch_tls/src/client_identity.rs
+++ b/crates/fetch_tls/src/client_identity.rs
@@ -3,7 +3,7 @@
 
 //! Backend-agnostic `mTLS` client identity.
 //!
-//! [`ClientIdentity`] holds a DER-encoded certificate chain and private key
+//! [`ClientIdentity`] holds a `DER`-encoded certificate chain and private key
 //! and is consumed by both backends, so `mTLS` is configured the same way
 //! regardless of which backend is selected.
 
@@ -19,7 +19,7 @@ pub struct ClientIdentityError;
 ///
 /// Holds the client certificate chain and private key presented during the
 /// TLS handshake. The same value works with either backend; each one
-/// converts the contained DER bytes into its own internal form.
+/// converts the contained `DER` bytes into its own internal form.
 ///
 /// # Example
 ///
@@ -51,7 +51,7 @@ impl Clone for ClientIdentity {
 }
 
 impl ClientIdentity {
-    /// Creates a client identity from PEM-encoded certificate and private key.
+    /// Creates a client identity from `PEM`-encoded certificate and private key.
     ///
     /// `cert_pem` may contain one or more certificates (leaf first, then
     /// intermediates). `key_pem` must contain exactly one private key
@@ -62,7 +62,7 @@ impl ClientIdentity {
     ///
     /// # Errors
     ///
-    /// Returns an error if either input is not valid PEM.
+    /// Returns an error if either input is not valid `PEM`.
     pub fn from_pem(cert_pem: &[u8], key_pem: &[u8]) -> Result<Self, ClientIdentityError> {
         let cert_chain: Vec<rustls_pki_types::CertificateDer<'static>> = rustls_pki_types::CertificateDer::pem_slice_iter(cert_pem)
             .collect::<Result<_, _>>()
@@ -71,15 +71,15 @@ impl ClientIdentity {
         Ok(Self { cert_chain, private_key })
     }
 
-    /// Creates a client identity from DER-encoded certificate and private key.
+    /// Creates a client identity from `DER`-encoded certificate and private key.
     ///
     /// `cert_chain` is leaf-first; `key_der` must be a `PKCS#8`-encoded
     /// private key.
     #[must_use]
-    pub fn from_der<I, DER>(cert_chain: I, key_der: DER) -> Self
+    pub fn from_der<I, B>(cert_chain: I, key_der: B) -> Self
     where
-        I: IntoIterator<Item = DER>,
-        DER: AsRef<[u8]>,
+        I: IntoIterator<Item = B>,
+        B: AsRef<[u8]>,
     {
         let cert_chain = cert_chain
             .into_iter()
@@ -104,7 +104,7 @@ impl ClientIdentity {
 
     /// Builds a [`native_tls::Identity`] from this client identity.
     ///
-    /// Re-encodes the DER components as PEM and feeds them to
+    /// Re-encodes the `DER` components as `PEM` and feeds them to
     /// [`native_tls::Identity::from_pkcs8`], the format supported across all
     /// platform backends. Fails if the private key is not `PKCS#8` or if the
     /// platform native TLS implementation rejects the material.
@@ -133,7 +133,7 @@ impl ClientIdentity {
     }
 }
 
-/// Writes a PEM-encoded object to `out`.
+/// Writes a `PEM`-encoded object to `out`.
 ///
 /// Format per `RFC 7468`: a textual `-----BEGIN <label>-----` line, the body
 /// as `base64` broken into 64-character lines, and a matching
diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index b136736dc..fbc4cca07 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -21,7 +21,7 @@
 //!   server-certificate verifier) via
 //!   [`TlsBackendDefaults::configure_rustls`].
 //! - **`native-tls`** — platform native TLS (`SChannel` on Windows,
-//!   Security Framework on macOS, `OpenSSL` on Linux).
+//!   Security Framework on `macOS`, `OpenSSL` on Linux).
 //!
 //! With neither feature enabled, [`TlsOptions::default`] still constructs but
 //! [`TlsOptions::build_backend`] returns a [`BackendError`].

From fded4d21d00f5176562e666acf3142bad467eb67 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 10:22:36 +0200
Subject: [PATCH 05/30] adop fetch_tls in fetch_hyper

---
 Cargo.lock                                    |   1 +
 crates/fetch_hyper/Cargo.toml                 |   5 +-
 crates/fetch_hyper/src/builder.rs             |   4 +-
 .../src/connection/hyper_handler.rs           |   2 +-
 crates/fetch_hyper/src/lib.rs                 |   1 -
 crates/fetch_hyper/src/testing.rs             |   5 +-
 crates/fetch_hyper/src/tls/connector.rs       |   7 +-
 crates/fetch_hyper/src/tls/mod.rs             | 113 ------------------
 crates/fetch_hyper/tests/smoke.rs             |   3 +-
 9 files changed, 16 insertions(+), 125 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 72f11ccbd..44e6dd916 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1042,6 +1042,7 @@ dependencies = [
  "anyspawn",
  "bytes",
  "bytesbuf",
+ "fetch_tls",
  "futures",
  "http",
  "http-body-util",
diff --git a/crates/fetch_hyper/Cargo.toml b/crates/fetch_hyper/Cargo.toml
index 3b2422154..b4bd7847a 100644
--- a/crates/fetch_hyper/Cargo.toml
+++ b/crates/fetch_hyper/Cargo.toml
@@ -38,8 +38,8 @@ allowed_external_types = [
 all-features = true
 
 [features]
-rustls = ["dep:rustls", "dep:hyper-rustls"]
-native-tls = ["dep:native-tls", "dep:hyper-tls", "dep:tokio-native-tls"]
+rustls = ["dep:rustls", "dep:hyper-rustls", "fetch_tls/rustls"]
+native-tls = ["dep:native-tls", "dep:hyper-tls", "dep:tokio-native-tls", "fetch_tls/native-tls"]
 
 [dependencies]
 # internal
@@ -51,6 +51,7 @@ ohno.workspace = true
 seatbelt = { workspace = true }
 templated_uri = { workspace = true }
 tick = { workspace = true }
+fetch_tls = { workspace = true }
 
 # external
 futures = { workspace = true, features = ["std"] }
diff --git a/crates/fetch_hyper/src/builder.rs b/crates/fetch_hyper/src/builder.rs
index eae08d48e..540deff34 100644
--- a/crates/fetch_hyper/src/builder.rs
+++ b/crates/fetch_hyper/src/builder.rs
@@ -9,6 +9,7 @@ use std::marker::PhantomData;
 use std::time::Duration;
 
 use anyspawn::Spawner;
+use fetch_tls::TlsBackend;
 use http::Version;
 use http_extensions::{HttpBodyBuilder, HttpRequest, HttpResponse, Result};
 use hyper_util::client::legacy;
@@ -20,7 +21,6 @@ use crate::HyperIo;
 use crate::connection::Connect;
 use crate::connection::hyper_handler::build_hyper_handler;
 use crate::options::{ConnectionLifetime, RequestFilter};
-use crate::tls::TlsBackend;
 
 /// A type-erased Hyper request handler.
 #[derive(Clone, Debug)]
@@ -84,7 +84,7 @@ where
 ///
 /// ```
 /// use anyspawn::Spawner;
-/// use fetch_hyper::{HyperTransport, HyperTransportBuilder, TlsBackend};
+/// use fetch_hyper::{HyperTransport, HyperTransportBuilder};
 /// use http_extensions::HttpBodyBuilder;
 /// use hyper_util::rt::TokioIo;
 /// use layered::Execute;
diff --git a/crates/fetch_hyper/src/connection/hyper_handler.rs b/crates/fetch_hyper/src/connection/hyper_handler.rs
index e24389245..2824b4a47 100644
--- a/crates/fetch_hyper/src/connection/hyper_handler.rs
+++ b/crates/fetch_hyper/src/connection/hyper_handler.rs
@@ -191,6 +191,7 @@ mod tests {
 
     use anyspawn::Spawner;
     use bytes::Bytes;
+    use fetch_tls::TlsBackend;
     use http_body_util::BodyExt as _;
     use http_extensions::{HttpBodyBuilder, HttpRequestBuilder};
     use layered::Service as _;
@@ -200,7 +201,6 @@ mod tests {
     use crate::HyperTransport;
     use crate::options::{ConnectionLifetime, RequestFilter};
     use crate::testing::{FakeConnector, create_hyper_error, fake_body_builder};
-    use crate::tls::TlsBackend;
 
     fn tls() -> TlsBackend {
         native_tls::TlsConnector::new().unwrap().into()
diff --git a/crates/fetch_hyper/src/lib.rs b/crates/fetch_hyper/src/lib.rs
index f08999df1..ab7643675 100644
--- a/crates/fetch_hyper/src/lib.rs
+++ b/crates/fetch_hyper/src/lib.rs
@@ -56,4 +56,3 @@ pub use builder::{HyperTransport, HyperTransportBuilder};
 pub use connection::{Connect, HyperIo};
 pub use options::{ConnectionLifetime, RequestFilter};
 pub use telemetry::ConnectionInfo;
-pub use tls::TlsBackend;
diff --git a/crates/fetch_hyper/src/testing.rs b/crates/fetch_hyper/src/testing.rs
index 22c7ef052..a8e80f302 100644
--- a/crates/fetch_hyper/src/testing.rs
+++ b/crates/fetch_hyper/src/testing.rs
@@ -363,16 +363,17 @@ mod tests {
 
     use anyspawn::Spawner;
     use bytes::Bytes;
+    use fetch_tls::TlsBackend;
     use http_body_util::BodyExt;
     use layered::Service as _;
     use native_tls::TlsConnector;
     use seatbelt::RecoveryInfo;
 
     use crate::testing::{FakeConnector, TestError, create_test_request, fake_body_builder};
-    use crate::{HyperTransportBuilder, RequestFilter, TlsBackend};
+    use crate::{HyperTransportBuilder, RequestFilter};
 
     fn build_tls() -> TlsBackend {
-        TlsBackend::NativeTls(TlsConnector::new().unwrap())
+        TlsConnector::new().unwrap().into()
     }
 
     fn http_1_response() -> Bytes {
diff --git a/crates/fetch_hyper/src/tls/connector.rs b/crates/fetch_hyper/src/tls/connector.rs
index 7f96aeac8..9603abda7 100644
--- a/crates/fetch_hyper/src/tls/connector.rs
+++ b/crates/fetch_hyper/src/tls/connector.rs
@@ -5,6 +5,7 @@
 
 use std::marker::PhantomData;
 
+use fetch_tls::TlsBackend;
 use http::Version;
 use templated_uri::BaseUri;
 #[cfg(any(feature = "rustls", feature = "native-tls", test))]
@@ -13,7 +14,6 @@ use tower::Service as _;
 #[cfg(any(feature = "rustls", feature = "native-tls", test))]
 use crate::connection::hyper_connector_adapter::HyperConnectorAdapter;
 use crate::options::RequestFilter;
-use crate::tls::TlsBackend;
 use crate::{Connect, HyperIo};
 
 /// An enum that wraps the `TLS` connector, dispatching to the correct backend at runtime.
@@ -64,7 +64,7 @@ where
         match backend {
             #[cfg(any(feature = "rustls", test))]
             TlsBackend::Rustls(config) => Self::Rustls(
-                build_rustls_connector(config, connector, request_filter, supported_versions),
+                build_rustls_connector(config.as_ref().clone(), connector, request_filter, supported_versions),
                 PhantomData,
             ),
             #[cfg(any(feature = "native-tls", test))]
@@ -196,7 +196,8 @@ mod tests {
             .unwrap()
             .with_root_certificates(rustls::RootCertStore::empty())
             .with_no_client_auth();
-        TlsBackend::Rustls(config)
+
+        config.into()
     }
 
     fn fake_connector() -> FakeConnector {
diff --git a/crates/fetch_hyper/src/tls/mod.rs b/crates/fetch_hyper/src/tls/mod.rs
index 76f59ae2d..ccfa21018 100644
--- a/crates/fetch_hyper/src/tls/mod.rs
+++ b/crates/fetch_hyper/src/tls/mod.rs
@@ -7,116 +7,3 @@
 
 mod connector;
 pub(crate) use connector::TlsConnector;
-
-/// Selects and supplies the `TLS` backend used by the transport.
-///
-/// When neither the `rustls` nor `native-tls` feature is enabled this enum
-/// has no variants and is therefore uninhabited: the crate still compiles,
-/// but a [`TlsBackend`] value cannot be constructed and the transport
-/// cannot be used. Enable at least one `TLS` feature to make outbound
-/// connections.
-#[derive(Clone, Debug)]
-#[allow(
-    clippy::allow_attributes,
-    clippy::large_enum_variant,
-    reason = "backend is not on hot path, we want to keep API clean so no Box<..>"
-)]
-pub enum TlsBackend {
-    /// Use the `rustls` backend with the given pre-built configuration.
-    #[cfg(any(feature = "rustls", test))]
-    Rustls(rustls::ClientConfig),
-
-    /// Use the platform `native-tls` backend with the given connector.
-    #[cfg(any(feature = "native-tls", test))]
-    NativeTls(native_tls::TlsConnector),
-}
-
-#[cfg(any(feature = "rustls", test))]
-impl From<rustls::ClientConfig> for TlsBackend {
-    fn from(config: rustls::ClientConfig) -> Self {
-        Self::Rustls(config)
-    }
-}
-
-#[cfg(any(feature = "rustls", test))]
-impl From<std::sync::Arc<rustls::ClientConfig>> for TlsBackend {
-    fn from(config: std::sync::Arc<rustls::ClientConfig>) -> Self {
-        Self::Rustls(std::sync::Arc::unwrap_or_clone(config))
-    }
-}
-
-#[cfg(any(feature = "native-tls", test))]
-impl From<native_tls::TlsConnector> for TlsBackend {
-    fn from(connector: native_tls::TlsConnector) -> Self {
-        Self::NativeTls(connector)
-    }
-}
-
-#[cfg(test)]
-#[cfg_attr(coverage_nightly, coverage(off))]
-mod tests {
-    use super::*;
-
-    #[test]
-    #[cfg_attr(miri, ignore)]
-    fn from_client_config_makes_rustls_variant() {
-        let provider = rustls::crypto::CryptoProvider::get_default()
-            .cloned()
-            .unwrap_or_else(|| std::sync::Arc::new(rustls::crypto::aws_lc_rs::default_provider()));
-        let config = rustls::ClientConfig::builder_with_provider(provider)
-            .with_safe_default_protocol_versions()
-            .unwrap()
-            .with_root_certificates(rustls::RootCertStore::empty())
-            .with_no_client_auth();
-        let backend: TlsBackend = config.into();
-        assert!(matches!(backend, TlsBackend::Rustls(_)));
-    }
-
-    #[test]
-    #[cfg_attr(miri, ignore)]
-    fn from_arc_client_config_makes_rustls_variant() {
-        let provider = rustls::crypto::CryptoProvider::get_default()
-            .cloned()
-            .unwrap_or_else(|| std::sync::Arc::new(rustls::crypto::aws_lc_rs::default_provider()));
-        let config = std::sync::Arc::new(
-            rustls::ClientConfig::builder_with_provider(provider)
-                .with_safe_default_protocol_versions()
-                .unwrap()
-                .with_root_certificates(rustls::RootCertStore::empty())
-                .with_no_client_auth(),
-        );
-        let backend: TlsBackend = config.into();
-        assert!(matches!(backend, TlsBackend::Rustls(_)));
-    }
-
-    #[test]
-    #[cfg_attr(miri, ignore)]
-    fn from_native_tls_connector_makes_native_variant() {
-        let nc = native_tls::TlsConnector::new().unwrap();
-        let backend: TlsBackend = nc.into();
-        assert!(matches!(backend, TlsBackend::NativeTls(_)));
-    }
-
-    #[test]
-    #[cfg_attr(miri, ignore)]
-    fn clone_preserves_variant() {
-        let nc = native_tls::TlsConnector::new().unwrap();
-        let backend = TlsBackend::NativeTls(nc);
-        let cloned = backend.clone();
-        assert!(matches!(backend, TlsBackend::NativeTls(_)));
-        assert!(matches!(cloned, TlsBackend::NativeTls(_)));
-
-        let provider = rustls::crypto::CryptoProvider::get_default()
-            .cloned()
-            .unwrap_or_else(|| std::sync::Arc::new(rustls::crypto::aws_lc_rs::default_provider()));
-        let config = rustls::ClientConfig::builder_with_provider(provider)
-            .with_safe_default_protocol_versions()
-            .unwrap()
-            .with_root_certificates(rustls::RootCertStore::empty())
-            .with_no_client_auth();
-        let rustls_backend: TlsBackend = config.into();
-        let rustls_cloned = rustls_backend.clone();
-        assert!(matches!(rustls_backend, TlsBackend::Rustls(_)));
-        assert!(matches!(rustls_cloned, TlsBackend::Rustls(_)));
-    }
-}
diff --git a/crates/fetch_hyper/tests/smoke.rs b/crates/fetch_hyper/tests/smoke.rs
index d9ca687d2..6144587f4 100644
--- a/crates/fetch_hyper/tests/smoke.rs
+++ b/crates/fetch_hyper/tests/smoke.rs
@@ -11,7 +11,8 @@ use std::time::Duration;
 
 use anyspawn::Spawner;
 use bytes::Bytes;
-use fetch_hyper::{HyperTransportBuilder, RequestFilter, TlsBackend};
+use fetch_hyper::{HyperTransportBuilder, RequestFilter};
+use fetch_tls::TlsBackend;
 use http::{Method, StatusCode, Version};
 use http_extensions::{HttpBodyBuilder, HttpRequestBuilder, Result};
 use hyper_util::rt::TokioIo;

From 978017d5fc6f2a0965b80f04f48828a3fce63c81 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 10:28:57 +0200
Subject: [PATCH 06/30] Update builder.rs

---
 crates/fetch_hyper/src/builder.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/fetch_hyper/src/builder.rs b/crates/fetch_hyper/src/builder.rs
index 540deff34..1b414ab0b 100644
--- a/crates/fetch_hyper/src/builder.rs
+++ b/crates/fetch_hyper/src/builder.rs
@@ -104,7 +104,7 @@ where
 /// // performs expensive certificate/store initialization, so we skip it
 /// // here with `unreachable!()` — the async function below is never
 /// // actually called.
-/// let tls: TlsBackend = unreachable!("doc example; never invoked");
+/// let tls: fetch_tls::TlsBackend = unreachable!("doc example; never invoked");
 ///
 /// let transport: HyperTransport = HyperTransportBuilder::new(
 ///     Execute::new(connect),

From 4554be82c576372e4394fd63e3dfefcb1b390528 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 20:56:13 +0200
Subject: [PATCH 07/30] Update Cargo.lock

---
 Cargo.lock | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index 44e6dd916..0c6b37ba9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2902,6 +2902,21 @@ dependencies = [
  "tracing-subscriber",
 ]
 
+[[package]]
+name = "seatbelt_http"
+version = "0.2.1"
+dependencies = [
+ "futures",
+ "http",
+ "http_extensions",
+ "layered",
+ "mutants",
+ "ohno 0.3.2",
+ "seatbelt",
+ "templated_uri",
+ "tick",
+]
+
 [[package]]
 name = "security-framework"
 version = "3.7.0"

From 6c3dc82333b6b5414ed0099709b45087be567a30 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 21:05:33 +0200
Subject: [PATCH 08/30] cleanup

---
 crates/fetch_tls/src/lib.rs        | 52 ++++++++++++++++++++++++------
 crates/fetch_tls/src/native_tls.rs | 17 ++++++++++
 crates/fetch_tls/src/rustls.rs     | 18 +++++++++++
 3 files changed, 78 insertions(+), 9 deletions(-)

diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index fbc4cca07..96a85e08f 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -8,23 +8,57 @@
 
 //! Backend-agnostic TLS configuration for HTTP clients.
 //!
-//! Build a [`TlsOptions`] with [`TlsOptions::builder_rustls`] or
-//! [`TlsOptions::builder_native_tls`], or wrap a pre-built
-//! [`rustls::ClientConfig`](::rustls::ClientConfig) /
-//! [`native_tls::TlsConnector`](::native_tls::TlsConnector) via `From`/`Into`.
-//! Materialize a [`TlsBackend`] with [`TlsOptions::build_backend`].
+//! `fetch_tls` separates *what* TLS behavior a consumer wants from *which*
+//! TLS implementation actually provides it. This lets application code
+//! describe its TLS requirements once and lets the HTTP client (or other
+//! library) decide which backend to materialize at runtime.
+//!
+//! # Overview
+//!
+//! The core type is [`TlsOptions`], a backend-agnostic description of a TLS
+//! client configuration. It can be constructed in a few ways:
+//!
+//! - **Explicit backend selection** — use [`TlsOptions::builder_rustls`] or
+//!   [`TlsOptions::builder_native_tls`] (via [`TlsOptionsBuilder`]) when the
+//!   consumer specifically wants `rustls` or `native-tls`.
+//! - **Wrapping a pre-built configuration** — convert an existing
+//!   [`rustls::ClientConfig`](::rustls::ClientConfig) or
+//!   [`native_tls::TlsConnector`](::native_tls::TlsConnector) into a
+//!   [`TlsOptions`] via `From`/`Into`.
+//! - **Default construction** — [`TlsOptions::default`] produces options
+//!   that do not pin a specific backend; the choice is deferred to the
+//!   library consuming the [`TlsOptions`].
+//!
+//! # User vs. consumer perspective
+//!
+//! From an **end-user / application** perspective, only [`TlsOptions`] and
+//! [`TlsOptionsBuilder`] are relevant. Users describe their TLS requirements
+//! and hand the resulting [`TlsOptions`] to a library (for example, an HTTP
+//! client).
+//!
+//! From a **library / client** perspective that adopts `fetch_tls`, the
+//! [`TlsOptions`] is materialized into a concrete [`TlsBackend`] (backed by
+//! a specific TLS implementation) via [`TlsOptions::build_backend`]. The
+//! library supplies a [`TlsBackendDefaults`] that:
+//!
+//! - provides the information required to actually build the backend (for
+//!   example, a `rustls` crypto provider and server-certificate verifier via
+//!   [`TlsBackendDefaults::configure_rustls`]), and
+//! - decides which backend to use when the [`TlsOptions`] does not pin one
+//!   (i.e. when the consumer does not care about the underlying TLS
+//!   technology).
 //!
 //! # Features
 //!
 //! - **`rustls`** — pure-Rust [`rustls`](::rustls). `fetch_tls` does not
-//!   bundle a crypto provider; the caller supplies one (along with a
-//!   server-certificate verifier) via
+//!   bundle a crypto provider; the adopting library supplies one (along
+//!   with a server-certificate verifier) via
 //!   [`TlsBackendDefaults::configure_rustls`].
 //! - **`native-tls`** — platform native TLS (`SChannel` on Windows,
 //!   Security Framework on `macOS`, `OpenSSL` on Linux).
 //!
-//! With neither feature enabled, [`TlsOptions::default`] still constructs but
-//! [`TlsOptions::build_backend`] returns a [`BackendError`].
+//! With neither feature enabled, [`TlsOptions::default`] still constructs
+//! but [`TlsOptions::build_backend`] returns a [`BackendError`].
 
 mod backend;
 mod options;
diff --git a/crates/fetch_tls/src/native_tls.rs b/crates/fetch_tls/src/native_tls.rs
index 85905d766..1525b2569 100644
--- a/crates/fetch_tls/src/native_tls.rs
+++ b/crates/fetch_tls/src/native_tls.rs
@@ -69,6 +69,16 @@ impl TlsOptions {
             shared: SharedOptions::default(),
         }
     }
+
+    /// Creates [`TlsOptions`] for the platform native TLS backend using
+    /// default settings.
+    ///
+    /// Equivalent to `TlsOptions::builder_native_tls().build()`. Use
+    /// [`TlsOptions::builder_native_tls`] when you need to customize the
+    /// configuration before building.
+    pub fn new_native_tls() -> Self {
+        Self::builder_native_tls().build()
+    }
 }
 
 /// Wraps a pre-built [`native_tls::TlsConnector`] as [`TlsOptions`].
@@ -109,6 +119,13 @@ mod tests {
         assert!(matches!(tls.inner, TlsOptionsKind::NativeTls(_)));
     }
 
+    #[test]
+    fn new_native_tls_produces_native_tls_options() {
+        let tls = TlsOptions::new_native_tls();
+        assert!(matches!(tls.inner, TlsOptionsKind::NativeTls(_)));
+        assert!(tls.shared.client_identity.is_none());
+    }
+
     #[test]
     #[cfg_attr(miri, ignore)] // native-tls touches platform TLS FFI
     fn tls_options_from_tls_connector_wraps_as_preconfigured() {
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index 7948694b8..a2f6d1a31 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -104,6 +104,17 @@ impl TlsOptions {
             shared: SharedOptions::default(),
         }
     }
+
+    /// Creates [`TlsOptions`] for the rustls backend using default settings.
+    ///
+    /// Equivalent to `TlsOptions::builder_rustls().build()`. The crypto
+    /// provider and server certificate verifier are taken from the
+    /// [`TlsBackendDefaults`](crate::TlsBackendDefaults) passed to
+    /// [`TlsOptions::build_backend`]; use [`TlsOptions::builder_rustls`] when
+    /// you need to override them or supply a client identity resolver.
+    pub fn new_rustls() -> Self {
+        Self::builder_rustls().build()
+    }
 }
 
 /// Wraps a pre-built [`rustls::ClientConfig`] as [`TlsOptions`].
@@ -266,6 +277,13 @@ mod tests {
         assert!(matches!(tls.inner, TlsOptionsKind::Rustls(_)));
     }
 
+    #[test]
+    fn new_rustls_produces_rustls_tls_options() {
+        let tls = TlsOptions::new_rustls();
+        assert!(matches!(tls.inner, TlsOptionsKind::Rustls(_)));
+        assert!(tls.shared.client_identity.is_none());
+    }
+
     #[test]
     #[cfg_attr(miri, ignore)] // crypto provider FFI (aws-lc-rs) does not run under Miri
     fn build_produces_client_config_without_identity() {

From d0d89bb1fcbda4b904bf3187df3f94294b506481 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 21:12:37 +0200
Subject: [PATCH 09/30] icons

---
 crates/fetch_tls/favicon.ico | 4 ++--
 crates/fetch_tls/logo.png    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/crates/fetch_tls/favicon.ico b/crates/fetch_tls/favicon.ico
index ccae81142..b394ce24d 100644
--- a/crates/fetch_tls/favicon.ico
+++ b/crates/fetch_tls/favicon.ico
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e48225cb42c8ac02df5dd4a9bdba29c1e8d10436cc27055d6a021bcb951d4145
-size 480683
+oid sha256:118aa67d3e567980eae98e411c94eb6703b152121ff16fd286ad10c7406c98a8
+size 201783
diff --git a/crates/fetch_tls/logo.png b/crates/fetch_tls/logo.png
index f2bd66915..2196837fc 100644
--- a/crates/fetch_tls/logo.png
+++ b/crates/fetch_tls/logo.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:63ad64ebb0185d7cd153acc291989d72e3a0094603d8bfe781a220861de247f2
-size 17876
+oid sha256:fd2869fb1f894691ce53146253fc98b5b00ff1bef9b1af443d4c4943cac7a6ff
+size 88709

From 868a96430f019bd702cfc142d5c3496f012a9a7c Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 21:19:01 +0200
Subject: [PATCH 10/30] Update options.rs

---
 crates/fetch_tls/src/options.rs | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/crates/fetch_tls/src/options.rs b/crates/fetch_tls/src/options.rs
index 207ef5598..caa09c450 100644
--- a/crates/fetch_tls/src/options.rs
+++ b/crates/fetch_tls/src/options.rs
@@ -36,8 +36,20 @@ pub(crate) enum TlsOptionsKind {
 
 /// TLS configuration for an HTTP client.
 ///
-/// Use [`TlsOptions::builder_rustls`] or [`TlsOptions::builder_native_tls`]
-/// to configure a backend from scratch, or convert from a pre-built
+/// For most callers, [`TlsOptions::new_rustls`] and
+/// [`TlsOptions::new_native_tls`] are the simplest way to construct
+/// [`TlsOptions`]: they produce a configuration with appropriate defaults
+/// for the selected backend. When you need to customize the configuration
+/// (for example, to set a client identity, override the server certificate
+/// verifier, or change supported HTTP versions), use the corresponding
+/// builder constructor [`TlsOptions::builder_rustls`] or
+/// [`TlsOptions::builder_native_tls`] instead.
+///
+/// If you do not want to pick a backend yourself, use
+/// [`TlsOptions::default`] to defer that choice to the HTTP client that
+/// adopts `fetch_tls`.
+///
+/// You can also convert from a pre-built
 /// [`rustls::ClientConfig`](::rustls::ClientConfig) /
 /// [`native_tls::TlsConnector`](::native_tls::TlsConnector) via
 /// [`From`]/[`Into`] to wrap a backend you have already built.
@@ -52,7 +64,7 @@ pub(crate) enum TlsOptionsKind {
 /// # #[cfg(feature = "rustls")] {
 /// use fetch_tls::TlsOptions;
 ///
-/// let tls = TlsOptions::builder_rustls().build();
+/// let tls = TlsOptions::new_rustls();
 /// # }
 /// ```
 ///
@@ -63,7 +75,7 @@ pub(crate) enum TlsOptionsKind {
 /// # #[cfg(feature = "native-tls")] {
 /// use fetch_tls::TlsOptions;
 ///
-/// let tls = TlsOptions::builder_native_tls().build();
+/// let tls = TlsOptions::new_native_tls();
 /// # }
 /// ```
 #[derive(Debug, Clone)]

From 4837e5d425a2bd17466166f67f9aef9db2c38044 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 21:24:00 +0200
Subject: [PATCH 11/30] docs

---
 crates/fetch_tls/README.md      | 95 +++++++++++++++++++++++++--------
 crates/fetch_tls/src/lib.rs     | 10 ++--
 crates/fetch_tls/src/testing.rs |  9 ++--
 3 files changed, 84 insertions(+), 30 deletions(-)

diff --git a/crates/fetch_tls/README.md b/crates/fetch_tls/README.md
index c8adfcad6..4a40ae581 100644
--- a/crates/fetch_tls/README.md
+++ b/crates/fetch_tls/README.md
@@ -15,23 +15,61 @@
 
 Backend-agnostic TLS configuration for HTTP clients.
 
-Build a [`TlsOptions`][__link0] with [`TlsOptions::builder_rustls`][__link1] or
-[`TlsOptions::builder_native_tls`][__link2], or wrap a pre-built
-[`rustls::ClientConfig`][__link3] /
-[`native_tls::TlsConnector`][__link4] via `From`/`Into`.
-Materialize a [`TlsBackend`][__link5] with [`TlsOptions::build_backend`][__link6].
+`fetch_tls` separates *what* TLS behavior a consumer wants from *which*
+TLS implementation actually provides it. This lets application code
+describe its TLS requirements once and lets the HTTP client (or other
+library) decide which backend to materialize at runtime.
+
+## Overview
+
+The core type is [`TlsOptions`][__link0], a backend-agnostic description of a TLS
+client configuration. It can be constructed in a few ways:
+
+* **Explicit backend selection** — use [`TlsOptions::new_rustls`][__link1] or
+  [`TlsOptions::new_native_tls`][__link2] when the consumer specifically wants
+  `rustls` or `native-tls`. For additional customization (client
+  identity, custom verifier, supported HTTP versions, etc.), use the
+  corresponding builders [`TlsOptions::builder_rustls`][__link3] /
+  [`TlsOptions::builder_native_tls`][__link4] (which return a
+  [`TlsOptionsBuilder`][__link5]).
+* **Wrapping a pre-built configuration** — convert an existing
+  [`rustls::ClientConfig`][__link6] or
+  [`native_tls::TlsConnector`][__link7] into a
+  [`TlsOptions`][__link8] via `From`/`Into`.
+* **Default construction** — [`TlsOptions::default`][__link9] produces options
+  that do not pin a specific backend; the choice is deferred to the
+  library consuming the [`TlsOptions`][__link10].
+
+## User vs. consumer perspective
+
+From an **end-user / application** perspective, only [`TlsOptions`][__link11] and
+[`TlsOptionsBuilder`][__link12] are relevant. Users describe their TLS requirements
+and hand the resulting [`TlsOptions`][__link13] to a library (for example, an HTTP
+client).
+
+From a **library / client** perspective that adopts `fetch_tls`, the
+[`TlsOptions`][__link14] is materialized into a concrete [`TlsBackend`][__link15] (backed by
+a specific TLS implementation) via [`TlsOptions::build_backend`][__link16]. The
+library supplies a [`TlsBackendDefaults`][__link17] that:
+
+* provides the information required to actually build the backend (for
+  example, a `rustls` crypto provider and server-certificate verifier via
+  [`TlsBackendDefaults::configure_rustls`][__link18]), and
+* decides which backend to use when the [`TlsOptions`][__link19] does not pin one
+  (i.e. when the consumer does not care about the underlying TLS
+  technology).
 
 ## Features
 
-* **`rustls`** — pure-Rust [`rustls`][__link7]. `fetch_tls` does not
-  bundle a crypto provider; the caller supplies one (along with a
-  server-certificate verifier) via
-  [`TlsBackendDefaults::configure_rustls`][__link8].
+* **`rustls`** — pure-Rust [`rustls`][__link20]. `fetch_tls` does not
+  bundle a crypto provider; the adopting library supplies one (along
+  with a server-certificate verifier) via
+  [`TlsBackendDefaults::configure_rustls`][__link21].
 * **`native-tls`** — platform native TLS (`SChannel` on Windows,
   Security Framework on `macOS`, `OpenSSL` on Linux).
 
-With neither feature enabled, [`TlsOptions::default`][__link9] still constructs but
-[`TlsOptions::build_backend`][__link10] returns a [`BackendError`][__link11].
+With neither feature enabled, [`TlsOptions::default`][__link22] still constructs
+but [`TlsOptions::build_backend`][__link23] returns a [`BackendError`][__link24].
 
 
 <hr/>
@@ -39,16 +77,29 @@ With neither feature enabled, [`TlsOptions::default`][__link9] still constructs
 This crate was developed as part of <a href="../..">The Oxidizer Project</a>. Browse this crate's <a href="https://github.com/microsoft/oxidizer/tree/main/crates/fetch_tls">source code</a>.
 </sub>
 
- [__cargo_doc2readme_dependencies_info]: ggGkYW0CYXSEGy4k8ldDFPOhG2VNeXtD5nnKG6EPY6OfW5wBG8g18NOFNdxpYXKEG2t4QyKGZLjOGzG3afJHTM1YG1p0yPzfBpVtG_wKLWa2KlkuYWSDgmlmZXRjaF90bHNlMC4xLjCCam5hdGl2ZV90bHNmMC4yLjE4gmZydXN0bHNnMC4yMy40MA
+ [__cargo_doc2readme_dependencies_info]: ggGkYW0CYXSEGy4k8ldDFPOhG2VNeXtD5nnKG6EPY6OfW5wBG8g18NOFNdxpYXKEG-IIjNGJ6OaRG__WcJFM0c4mG4L_zMzYrKYvG_1_yZWFbpC2YWSDgmlmZXRjaF90bHNlMC4xLjCCam5hdGl2ZV90bHNmMC4yLjE4gmZydXN0bHNnMC4yMy40MA
  [__link0]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
- [__link1]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_rustls
- [__link10]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
- [__link11]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=BackendError
- [__link2]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_native_tls
- [__link3]: https://docs.rs/rustls/0.23.40/rustls/?search=ClientConfig
- [__link4]: https://docs.rs/native_tls/0.2.18/native_tls/?search=TlsConnector
- [__link5]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackend
- [__link6]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
- [__link7]: https://crates.io/crates/rustls/0.23.40
- [__link8]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackendDefaults::configure_rustls
+ [__link1]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::new_rustls
+ [__link10]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
+ [__link11]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
+ [__link12]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptionsBuilder
+ [__link13]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
+ [__link14]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
+ [__link15]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackend
+ [__link16]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
+ [__link17]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackendDefaults
+ [__link18]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackendDefaults::configure_rustls
+ [__link19]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
+ [__link2]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::new_native_tls
+ [__link20]: https://crates.io/crates/rustls/0.23.40
+ [__link21]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsBackendDefaults::configure_rustls
+ [__link22]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::default
+ [__link23]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::build_backend
+ [__link24]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=BackendError
+ [__link3]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_rustls
+ [__link4]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::builder_native_tls
+ [__link5]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptionsBuilder
+ [__link6]: https://docs.rs/rustls/0.23.40/rustls/?search=ClientConfig
+ [__link7]: https://docs.rs/native_tls/0.2.18/native_tls/?search=TlsConnector
+ [__link8]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions
  [__link9]: https://docs.rs/fetch_tls/0.1.0/fetch_tls/?search=TlsOptions::default
diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index 96a85e08f..c3e82d7a7 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -18,9 +18,13 @@
 //! The core type is [`TlsOptions`], a backend-agnostic description of a TLS
 //! client configuration. It can be constructed in a few ways:
 //!
-//! - **Explicit backend selection** — use [`TlsOptions::builder_rustls`] or
-//!   [`TlsOptions::builder_native_tls`] (via [`TlsOptionsBuilder`]) when the
-//!   consumer specifically wants `rustls` or `native-tls`.
+//! - **Explicit backend selection** — use [`TlsOptions::new_rustls`] or
+//!   [`TlsOptions::new_native_tls`] when the consumer specifically wants
+//!   `rustls` or `native-tls`. For additional customization (client
+//!   identity, custom verifier, supported HTTP versions, etc.), use the
+//!   corresponding builders [`TlsOptions::builder_rustls`] /
+//!   [`TlsOptions::builder_native_tls`] (which return a
+//!   [`TlsOptionsBuilder`]).
 //! - **Wrapping a pre-built configuration** — convert an existing
 //!   [`rustls::ClientConfig`](::rustls::ClientConfig) or
 //!   [`native_tls::TlsConnector`](::native_tls::TlsConnector) into a
diff --git a/crates/fetch_tls/src/testing.rs b/crates/fetch_tls/src/testing.rs
index 629aed7dd..c97de03ec 100644
--- a/crates/fetch_tls/src/testing.rs
+++ b/crates/fetch_tls/src/testing.rs
@@ -1,12 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-//! Test helpers for downstream crates and `fetch_tls`'s own tests.
+//! Test helpers used by `fetch_tls`'s own unit tests.
 //!
-//! Available when the `test-util` Cargo feature is enabled, or when the
-//! crate is compiled with `cfg(test)`. These helpers are **not** intended
-//! for use in production code paths — they accept any certificate and
-//! never present a client certificate.
+//! Compiled only under `cfg(test)`. These helpers are **not** intended for
+//! production code paths — they accept any server certificate and never
+//! present a client certificate.
 
 use std::sync::Arc;
 

From f21272a397506c30c0cf300e7b342bd717ecb792 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 25 May 2026 21:30:21 +0200
Subject: [PATCH 12/30] Update backend.rs

---
 crates/fetch_tls/src/backend.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/fetch_tls/src/backend.rs b/crates/fetch_tls/src/backend.rs
index 672dba1c4..2cfed0614 100644
--- a/crates/fetch_tls/src/backend.rs
+++ b/crates/fetch_tls/src/backend.rs
@@ -44,7 +44,7 @@ pub enum TlsBackend {
 /// these defaults.
 ///
 /// In addition to backend-specific defaults, `TlsBackendDefaults` carries
-/// the *default backend selection* used by [`TlsOptions::default`] (and
+/// the *default backend selection* used by [`TlsOptions::default`](super::TlsOptions::default) (and
 /// any other [`TlsOptions`](super::TlsOptions) that did not pin a backend).
 /// Use [`TlsBackendDefaults::defaults_to_rustls`] or
 /// [`TlsBackendDefaults::defaults_to_native_tls`] to set it explicitly;

From d6dca63d159d498eea0ff05f253f55a0bfc02811 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Tue, 26 May 2026 15:53:31 +0200
Subject: [PATCH 13/30] Update Cargo.toml

---
 crates/fetch_hyper/Cargo.toml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/crates/fetch_hyper/Cargo.toml b/crates/fetch_hyper/Cargo.toml
index b4bd7847a..b6cc2a33d 100644
--- a/crates/fetch_hyper/Cargo.toml
+++ b/crates/fetch_hyper/Cargo.toml
@@ -39,19 +39,24 @@ all-features = true
 
 [features]
 rustls = ["dep:rustls", "dep:hyper-rustls", "fetch_tls/rustls"]
-native-tls = ["dep:native-tls", "dep:hyper-tls", "dep:tokio-native-tls", "fetch_tls/native-tls"]
+native-tls = [
+    "dep:native-tls",
+    "dep:hyper-tls",
+    "dep:tokio-native-tls",
+    "fetch_tls/native-tls",
+]
 
 [dependencies]
 # internal
 anyspawn = { workspace = true }
 bytesbuf = { workspace = true }
+fetch_tls = { workspace = true }
 http_extensions = { workspace = true }
 layered = { workspace = true, features = ["dynamic-service"] }
 ohno.workspace = true
 seatbelt = { workspace = true }
 templated_uri = { workspace = true }
 tick = { workspace = true }
-fetch_tls = { workspace = true }
 
 # external
 futures = { workspace = true, features = ["std"] }

From 86e814eb4c0160ccb2a36b16ea3f873ec32e4fdf Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Tue, 26 May 2026 16:09:03 +0200
Subject: [PATCH 14/30] fixes

---
 crates/fetch_tls/src/lib.rs    | 2 +-
 crates/fetch_tls/src/rustls.rs | 6 +-----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index c3e82d7a7..83b199c15 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -81,7 +81,7 @@ pub use native_tls::NativeTlsOptions;
 #[cfg(any(feature = "rustls", test))]
 mod rustls;
 #[cfg(any(feature = "rustls", test))]
-pub use rustls::{RustlsOptions, ServerCertVerifierFactory};
+pub use rustls::RustlsOptions;
 
 #[cfg(test)]
 mod testing;
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index a2f6d1a31..a5749ed02 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -15,11 +15,7 @@ use crate::options::{SharedOptions, TlsOptions, TlsOptionsBuilder, TlsOptionsKin
 
 /// Factory that builds a [`ServerCertVerifier`] from the negotiated
 /// [`CryptoProvider`].
-///
-/// Verifiers commonly need the same crypto provider as the rest of the TLS
-/// stack (for example, to share signature-verification algorithms), so the
-/// builder defers construction until the provider is known.
-pub type ServerCertVerifierFactory = dyn Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync;
+type ServerCertVerifierFactory = dyn Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync;
 
 /// Rustls TLS backend configuration.
 #[derive(Clone)]

From 75f50877546cfae96c2a311109be997f67506e72 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Tue, 26 May 2026 16:24:44 +0200
Subject: [PATCH 15/30] Update Cargo.toml

---
 crates/fetch_hyper/Cargo.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crates/fetch_hyper/Cargo.toml b/crates/fetch_hyper/Cargo.toml
index b6cc2a33d..322a1f083 100644
--- a/crates/fetch_hyper/Cargo.toml
+++ b/crates/fetch_hyper/Cargo.toml
@@ -99,6 +99,7 @@ tokio = { workspace = true, features = ["macros", "rt-multi-thread", "rt", "net"
 tokio-native-tls = { workspace = true }
 tracing-test = { workspace = true, features = ["no-env-filter"] }
 wiremock = { workspace = true }
+fetch_tls = { workspace = true, features = ["rustls", "native-tls"] }
 
 [[test]]
 name = "smoke"

From 58c39e014a7a3385556e5ab2c51f659296ded890 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Tue, 26 May 2026 16:37:15 +0200
Subject: [PATCH 16/30] Update Cargo.toml

---
 crates/fetch_hyper/Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/fetch_hyper/Cargo.toml b/crates/fetch_hyper/Cargo.toml
index 322a1f083..c50d974da 100644
--- a/crates/fetch_hyper/Cargo.toml
+++ b/crates/fetch_hyper/Cargo.toml
@@ -82,6 +82,7 @@ tokio-native-tls = { workspace = true, optional = true }
 [dev-dependencies]
 anyspawn = { workspace = true, features = ["tokio"] }
 bytes = { workspace = true }
+fetch_tls = { workspace = true, features = ["rustls", "native-tls"] }
 futures = { workspace = true, features = ["std", "executor"] }
 http_extensions = { workspace = true, features = ["test-util"] }
 hyper-rustls = { workspace = true, features = ["http1", "http2"] }
@@ -99,7 +100,6 @@ tokio = { workspace = true, features = ["macros", "rt-multi-thread", "rt", "net"
 tokio-native-tls = { workspace = true }
 tracing-test = { workspace = true, features = ["no-env-filter"] }
 wiremock = { workspace = true }
-fetch_tls = { workspace = true, features = ["rustls", "native-tls"] }
 
 [[test]]
 name = "smoke"

From 527b651fbb4ee446fe2c0bddc3bafb03909f50cc Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Tue, 26 May 2026 16:44:24 +0200
Subject: [PATCH 17/30] approve external types

---
 crates/fetch_hyper/Cargo.toml |  1 +
 crates/fetch_tls/Cargo.toml   | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/crates/fetch_hyper/Cargo.toml b/crates/fetch_hyper/Cargo.toml
index c50d974da..aaa5a4df0 100644
--- a/crates/fetch_hyper/Cargo.toml
+++ b/crates/fetch_hyper/Cargo.toml
@@ -20,6 +20,7 @@ repository = "https://github.com/microsoft/oxidizer/tree/main/crates/fetch_hyper
 allowed_external_types = [
     # Workspace sibling crates
     "anyspawn::spawner::Spawner",
+    "fetch_tls::*",
     "http_extensions::*",
     "layered::*",
     "templated_uri::*",
diff --git a/crates/fetch_tls/Cargo.toml b/crates/fetch_tls/Cargo.toml
index 5fb321b39..fb318fdb0 100644
--- a/crates/fetch_tls/Cargo.toml
+++ b/crates/fetch_tls/Cargo.toml
@@ -16,6 +16,21 @@ license.workspace = true
 homepage.workspace = true
 repository = "https://github.com/microsoft/oxidizer/tree/main/crates/fetch_tls"
 
+[package.metadata.cargo_check_external_types]
+allowed_external_types = [
+    # ohno macro-generated trait impls
+    "ohno::enrichable::Enrichable",
+    "ohno::error_ext::ErrorExt",
+    # External dependencies surfaced in the public API
+    "http::version::Version",
+    # TLS backends (feature-gated)
+    "rustls::client::client_conn::ClientConfig",
+    "rustls::client::client_conn::ResolvesClientCert",
+    "rustls::crypto::CryptoProvider",
+    "rustls::verify::ServerCertVerifier",
+    "native_tls::TlsConnector",
+]
+
 [package.metadata.docs.rs]
 all-features = true
 

From 9e67a946551eee831fb18d42834d97402d271a11 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Tue, 26 May 2026 16:50:09 +0200
Subject: [PATCH 18/30] Update connector.rs

---
 crates/fetch_hyper/src/tls/connector.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crates/fetch_hyper/src/tls/connector.rs b/crates/fetch_hyper/src/tls/connector.rs
index 9603abda7..23d85a0db 100644
--- a/crates/fetch_hyper/src/tls/connector.rs
+++ b/crates/fetch_hyper/src/tls/connector.rs
@@ -57,8 +57,9 @@ where
     #[expect(clippy::allow_attributes, reason = "expect would be unfulfilled when a TLS feature is enabled")]
     #[allow(
         unused_variables,
+        unreachable_patterns,
         clippy::needless_pass_by_value,
-        reason = "parameters are consumed only in feature-gated match arms"
+        reason = "parameters are consumed only in feature-gated match arms; the fallback `_` arm is unreachable when fetch_tls only carries variants whose features are enabled here"
     )]
     pub(crate) fn new(backend: TlsBackend, connector: C, request_filter: RequestFilter, supported_versions: &[Version]) -> Self {
         match backend {
@@ -69,6 +70,7 @@ where
             ),
             #[cfg(any(feature = "native-tls", test))]
             TlsBackend::NativeTls(native) => Self::NativeTls(build_native_tls_connector(native, connector, request_filter), PhantomData),
+            _ => unreachable!("make doc tests happy"),
         }
     }
 }

From 4cf881af69ad85b052ab4f0c185f648232b3e35f Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Thu, 28 May 2026 15:59:17 +0200
Subject: [PATCH 19/30] fixes

---
 crates/fetch_tls/src/backend.rs | 19 +------
 crates/fetch_tls/src/lib.rs     |  1 +
 crates/fetch_tls/src/rustls.rs  | 90 +++++++++++++++------------------
 3 files changed, 44 insertions(+), 66 deletions(-)

diff --git a/crates/fetch_tls/src/backend.rs b/crates/fetch_tls/src/backend.rs
index 2cfed0614..639f5ff74 100644
--- a/crates/fetch_tls/src/backend.rs
+++ b/crates/fetch_tls/src/backend.rs
@@ -54,7 +54,7 @@ pub enum TlsBackend {
 /// Use [`TlsBackendDefaults::new`] when no backend-specific state is
 /// required. Building a rustls backend without
 /// [`TlsBackendDefaults::configure_rustls`] returns a [`BackendError`].
-#[derive(Clone, Default)]
+#[derive(Clone, Default, Debug)]
 pub struct TlsBackendDefaults {
     #[cfg(any(feature = "rustls", test))]
     pub(crate) rustls: Option<RustlsDefaults>,
@@ -64,7 +64,7 @@ pub struct TlsBackendDefaults {
 
 /// Environment-supplied defaults specific to the rustls backend.
 #[cfg(any(feature = "rustls", test))]
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub(crate) struct RustlsDefaults {
     pub(crate) crypto_provider: std::sync::Arc<::rustls::crypto::CryptoProvider>,
     pub(crate) verifier: std::sync::Arc<dyn ::rustls::client::danger::ServerCertVerifier>,
@@ -131,21 +131,6 @@ impl TlsBackendDefaults {
     }
 }
 
-impl std::fmt::Debug for TlsBackendDefaults {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        let mut s = f.debug_struct("TlsBackendDefaults");
-        #[cfg(any(feature = "rustls", test))]
-        {
-            s.field(
-                "rustls",
-                &self.rustls.as_ref().map(|_| "<rustls CryptoProvider + ServerCertVerifier>"),
-            );
-        }
-        s.field("default", &self.default);
-        s.finish()
-    }
-}
-
 #[cfg(any(feature = "rustls", test))]
 impl From<::rustls::ClientConfig> for TlsBackend {
     fn from(config: ::rustls::ClientConfig) -> Self {
diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index 83b199c15..b66a4f1dc 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -83,5 +83,6 @@ mod rustls;
 #[cfg(any(feature = "rustls", test))]
 pub use rustls::RustlsOptions;
 
+#[cfg_attr(coverage_nightly, coverage(off))]
 #[cfg(test)]
 mod testing;
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index a5749ed02..d31cf5001 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -3,6 +3,7 @@
 
 //! Rustls backend configuration and builder integration.
 
+use std::fmt::Debug;
 use std::sync::Arc;
 
 use rustls::ClientConfig;
@@ -13,35 +14,12 @@ use rustls::crypto::CryptoProvider;
 use crate::backend::BackendError;
 use crate::options::{SharedOptions, TlsOptions, TlsOptionsBuilder, TlsOptionsKind};
 
-/// Factory that builds a [`ServerCertVerifier`] from the negotiated
-/// [`CryptoProvider`].
-type ServerCertVerifierFactory = dyn Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync;
-
 /// Rustls TLS backend configuration.
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub struct RustlsOptions {
-    pub(crate) crypto_provider: Option<Arc<CryptoProvider>>,
-    pub(crate) verifier_factory: Option<Arc<ServerCertVerifierFactory>>,
-    pub(crate) client_identity_resolver: Option<Arc<dyn ResolvesClientCert>>,
-}
-
-impl std::fmt::Debug for RustlsOptions {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        // `dyn ServerCertVerifier` and `dyn ResolvesClientCert` do not
-        // implement `Debug`; render only presence so we don't have to require
-        // Debug on opaque user-supplied types.
-        f.debug_struct("RustlsOptions")
-            .field("crypto_provider", &self.crypto_provider.as_ref().map(|_| "<custom CryptoProvider>"))
-            .field(
-                "verifier_factory",
-                &self.verifier_factory.as_ref().map(|_| "<custom verifier factory>"),
-            )
-            .field(
-                "client_identity_resolver",
-                &self.client_identity_resolver.as_ref().map(|_| "<custom resolver>"),
-            )
-            .finish()
-    }
+    crypto_provider: Option<Arc<CryptoProvider>>,
+    verifier_factory: Option<ServerCertVerifierFactory>,
+    client_identity_resolver: Option<Arc<dyn ResolvesClientCert>>,
 }
 
 impl RustlsOptions {
@@ -68,7 +46,7 @@ impl RustlsOptions {
                 )
             })?;
         let verifier = match self.verifier_factory {
-            Some(factory) => factory(Arc::clone(&crypto_provider)),
+            Some(factory) => factory.invoke(Arc::clone(&crypto_provider)),
             None => defaults.map(|d| Arc::clone(&d.verifier)).ok_or_else(|| {
                 BackendError::caused_by(
                     "rustls server certificate verifier not supplied; set it via TlsOptionsBuilder::server_certificate_verifier or TlsBackendDefaults::configure_rustls(...)",
@@ -163,7 +141,7 @@ impl TlsOptionsBuilder<RustlsOptions> {
     where
         F: Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync + 'static,
     {
-        self.backend.verifier_factory = Some(Arc::new(factory));
+        self.backend.verifier_factory = Some(ServerCertVerifierFactory::new(factory));
         self
     }
 
@@ -186,6 +164,34 @@ impl TlsOptionsBuilder<RustlsOptions> {
     }
 }
 
+/// Factory that builds a [`ServerCertVerifier`] from the negotiated
+/// [`CryptoProvider`].
+type ServerCertVerifierFactoryType = Arc<dyn Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync>;
+
+#[derive(Clone)]
+struct ServerCertVerifierFactory(ServerCertVerifierFactoryType);
+
+impl ServerCertVerifierFactory {
+    pub fn new<F>(factory: F) -> Self
+    where
+        F: Fn(Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> + Send + Sync + 'static,
+    {
+        Self(Arc::new(factory))
+    }
+
+    pub fn invoke(&self, crypto_provider: Arc<CryptoProvider>) -> Arc<dyn ServerCertVerifier> {
+        self.0.as_ref()(crypto_provider)
+    }
+}
+
+impl Debug for ServerCertVerifierFactory {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("ServerCertVerifierFactory")
+            .field("factory", &"<custom verifier factory>")
+            .finish()
+    }
+}
+
 #[cfg(test)]
 #[cfg_attr(coverage_nightly, coverage(off))]
 mod tests {
@@ -244,7 +250,7 @@ mod tests {
         static CALLED: AtomicBool = AtomicBool::new(false);
         let rustls_backend = RustlsOptions {
             crypto_provider: Some(provider()),
-            verifier_factory: Some(Arc::new(|_provider| {
+            verifier_factory: Some(ServerCertVerifierFactory::new(|_provider| {
                 CALLED.store(true, Ordering::SeqCst);
                 Arc::new(AcceptAll)
             })),
@@ -290,7 +296,7 @@ mod tests {
         // also exercise the path that produces `rustls::ClientConfig`.
         let rustls_backend = RustlsOptions {
             crypto_provider: None,
-            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: None,
         };
         rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
@@ -302,7 +308,7 @@ mod tests {
         let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
         let rustls_backend = RustlsOptions {
             crypto_provider: None,
-            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: None,
         };
         let err = rustls_backend.build(Some(&defaults()), &shared_with(Some(identity))).unwrap_err();
@@ -342,7 +348,7 @@ mod tests {
     fn build_uses_builder_crypto_provider_without_defaults() {
         let rustls_backend = RustlsOptions {
             crypto_provider: Some(provider()),
-            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: None,
         };
         rustls_backend.build(None, &shared_with(None)).unwrap();
@@ -361,20 +367,6 @@ mod tests {
         assert!(matches!(tls.inner, TlsOptionsKind::PreConfigured(_)));
     }
 
-    #[test]
-    fn debug_renders_without_panic() {
-        let rustls = RustlsOptions {
-            crypto_provider: Some(provider()),
-            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
-            client_identity_resolver: Some(Arc::new(StubResolver)),
-        };
-        let s = format!("{rustls:?}");
-        assert!(s.contains("RustlsOptions"));
-        assert!(s.contains("<custom CryptoProvider>"));
-        assert!(s.contains("<custom verifier factory>"));
-        assert!(s.contains("<custom resolver>"));
-    }
-
     #[test]
     fn client_identity_resolver_stores_resolver() {
         let builder = TlsOptions::builder_rustls().client_identity_resolver(Arc::new(StubResolver));
@@ -386,7 +378,7 @@ mod tests {
     fn build_uses_resolver_for_client_auth() {
         let rustls_backend = RustlsOptions {
             crypto_provider: None,
-            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: Some(Arc::new(StubResolver)),
         };
         rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
@@ -401,7 +393,7 @@ mod tests {
         let identity = ClientIdentity::from_der(vec![vec![0x30u8, 0x00]], vec![0x30u8, 0x00]);
         let rustls_backend = RustlsOptions {
             crypto_provider: None,
-            verifier_factory: Some(Arc::new(|_| Arc::new(AcceptAll))),
+            verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: Some(Arc::new(StubResolver)),
         };
         rustls_backend.build(Some(&defaults()), &shared_with(Some(identity))).unwrap();

From a594aaac8f02427215f50a8277551cf9fb3918a8 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Thu, 28 May 2026 16:11:31 +0200
Subject: [PATCH 20/30] latest version

---
 Cargo.lock | 4 ++--
 Cargo.toml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0c6b37ba9..efed31453 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1541,9 +1541,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
 name = "hyper"
-version = "1.9.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6299f016b246a94207e63da54dbe807655bf9e00044f73ded42c3ac5305fbcca"
+checksum = "eb92f162bf56536459fc83c79b974bb12837acfed43d6bc370a7916d0ae15ecc"
 dependencies = [
  "atomic-waker",
  "bytes",
diff --git a/Cargo.toml b/Cargo.toml
index 3a5ccb40b..87a6c153a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -87,10 +87,10 @@ hashbrown = { version = "0.17.0", default-features = false }
 http = { version = "1.2.0", default-features = false, features = ["std"] }
 http-body = { version = "1.0.1", default-features = false }
 http-body-util = { version = "0.1.3", default-features = false }
-hyper = { version = "1.6.0", default-features = false }
+hyper = { version = "1.10.0", default-features = false }
 hyper-rustls = { version = "0.27.9", default-features = false }
 hyper-tls = { version = "0.6.0", default-features = false }
-hyper-util = { version = "0.1.16", default-features = false }
+hyper-util = { version = "0.1.20", default-features = false }
 infinity_pool = { version = "0.8.1", default-features = false }
 insta = { version = "1.44.1", default-features = false }
 jiff = { version = "0.2.21", default-features = false }

From 747bce58ca321497d7ced338d6438851d8a3e71a Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sat, 30 May 2026 17:48:20 +0200
Subject: [PATCH 21/30] fixes and code coverage

---
 Cargo.lock                                    |  5 ++--
 Cargo.toml                                    |  2 +-
 crates/fetch_tls/Cargo.toml                   |  1 +
 crates/fetch_tls/src/native_tls.rs            |  5 ++--
 crates/fetch_tls/src/rustls.rs                | 27 ++++++++++++++++++-
 ...ebug_for_server_cert_verifier_factory.snap |  7 +++++
 6 files changed, 41 insertions(+), 6 deletions(-)
 create mode 100644 crates/fetch_tls/src/snapshots/fetch_tls__rustls__tests__debug_for_server_cert_verifier_factory.snap

diff --git a/Cargo.lock b/Cargo.lock
index efed31453..13d6d36ee 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1079,6 +1079,7 @@ version = "0.1.0"
 dependencies = [
  "base64",
  "http",
+ "insta",
  "mutants",
  "native-tls",
  "ohno 0.3.2",
@@ -1541,9 +1542,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
 name = "hyper"
-version = "1.10.0"
+version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb92f162bf56536459fc83c79b974bb12837acfed43d6bc370a7916d0ae15ecc"
+checksum = "55281c53a1894c864990125767da440a4e630446785086f52523b20033b74498"
 dependencies = [
  "atomic-waker",
  "bytes",
diff --git a/Cargo.toml b/Cargo.toml
index 87a6c153a..2826d633c 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -87,7 +87,7 @@ hashbrown = { version = "0.17.0", default-features = false }
 http = { version = "1.2.0", default-features = false, features = ["std"] }
 http-body = { version = "1.0.1", default-features = false }
 http-body-util = { version = "0.1.3", default-features = false }
-hyper = { version = "1.10.0", default-features = false }
+hyper = { version = "1.10.1", default-features = false }
 hyper-rustls = { version = "0.27.9", default-features = false }
 hyper-tls = { version = "0.6.0", default-features = false }
 hyper-util = { version = "0.1.20", default-features = false }
diff --git a/crates/fetch_tls/Cargo.toml b/crates/fetch_tls/Cargo.toml
index fb318fdb0..9cc08f853 100644
--- a/crates/fetch_tls/Cargo.toml
+++ b/crates/fetch_tls/Cargo.toml
@@ -56,6 +56,7 @@ rustls = { workspace = true, features = [
 rustls-pki-types = { workspace = true, features = ["alloc", "std"] }
 
 [dev-dependencies]
+insta.workspace = true
 mutants = { workspace = true }
 native-tls = { workspace = true, features = ["alpn"] }
 # Test code unconditionally references both backends; pull them in as
diff --git a/crates/fetch_tls/src/native_tls.rs b/crates/fetch_tls/src/native_tls.rs
index 1525b2569..8e7f27fc6 100644
--- a/crates/fetch_tls/src/native_tls.rs
+++ b/crates/fetch_tls/src/native_tls.rs
@@ -39,8 +39,9 @@ impl NativeTlsOptions {
             .min_protocol_version(Some(native_tls::Protocol::Tlsv12));
 
         if let Some(identity) = shared.client_identity.as_ref() {
-            let native_identity = identity.build_native_identity().map_err(BackendError::caused_by)?;
-            builder.identity(native_identity);
+            identity.build_native_identity()
+                .map(|i| { builder.identity(i); })
+                .map_err(BackendError::caused_by)?;
         }
 
         builder.build().map_err(BackendError::caused_by)
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index d31cf5001..560e7a99c 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -195,7 +195,8 @@ impl Debug for ServerCertVerifierFactory {
 #[cfg(test)]
 #[cfg_attr(coverage_nightly, coverage(off))]
 mod tests {
-    use rustls::crypto::aws_lc_rs;
+    use insta::assert_debug_snapshot;
+use rustls::crypto::aws_lc_rs;
 
     use super::*;
     use crate::backend::RustlsDefaults;
@@ -367,6 +368,22 @@ mod tests {
         assert!(matches!(tls.inner, TlsOptionsKind::PreConfigured(_)));
     }
 
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn tls_options_from_arc_client_config_wraps_as_preconfigured() {
+        let config = Arc::new(
+            rustls::ClientConfig::builder_with_provider(provider())
+                .with_safe_default_protocol_versions()
+                .unwrap()
+                .dangerous()
+                .with_custom_certificate_verifier(Arc::new(AcceptAll))
+                .with_no_client_auth(),
+        );
+        let tls = TlsOptions::from(Arc::clone(&config));
+        assert!(matches!(tls.inner, TlsOptionsKind::PreConfigured(_)));
+        assert!(tls.shared.client_identity.is_none());
+    }
+
     #[test]
     fn client_identity_resolver_stores_resolver() {
         let builder = TlsOptions::builder_rustls().client_identity_resolver(Arc::new(StubResolver));
@@ -398,4 +415,12 @@ mod tests {
         };
         rustls_backend.build(Some(&defaults()), &shared_with(Some(identity))).unwrap();
     }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn debug_for_server_cert_verifier_factory() {
+        let factory = ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll));
+
+        assert_debug_snapshot!(factory);
+    }
 }
diff --git a/crates/fetch_tls/src/snapshots/fetch_tls__rustls__tests__debug_for_server_cert_verifier_factory.snap b/crates/fetch_tls/src/snapshots/fetch_tls__rustls__tests__debug_for_server_cert_verifier_factory.snap
new file mode 100644
index 000000000..40782243a
--- /dev/null
+++ b/crates/fetch_tls/src/snapshots/fetch_tls__rustls__tests__debug_for_server_cert_verifier_factory.snap
@@ -0,0 +1,7 @@
+---
+source: crates/fetch_tls/src/rustls.rs
+expression: factory
+---
+ServerCertVerifierFactory {
+    factory: "<custom verifier factory>",
+}

From ee57f85363bf011bb104c0cec7042da758450c2d Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sat, 30 May 2026 17:49:49 +0200
Subject: [PATCH 22/30] fixes

---
 crates/fetch_hyper/src/tls/connector.rs | 1 +
 crates/fetch_tls/src/native_tls.rs      | 7 +++++--
 crates/fetch_tls/src/rustls.rs          | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/crates/fetch_hyper/src/tls/connector.rs b/crates/fetch_hyper/src/tls/connector.rs
index 23d85a0db..be0b49ac3 100644
--- a/crates/fetch_hyper/src/tls/connector.rs
+++ b/crates/fetch_hyper/src/tls/connector.rs
@@ -70,6 +70,7 @@ where
             ),
             #[cfg(any(feature = "native-tls", test))]
             TlsBackend::NativeTls(native) => Self::NativeTls(build_native_tls_connector(native, connector, request_filter), PhantomData),
+            #[cfg_attr(coverage_nightly, coverage(off))]
             _ => unreachable!("make doc tests happy"),
         }
     }
diff --git a/crates/fetch_tls/src/native_tls.rs b/crates/fetch_tls/src/native_tls.rs
index 8e7f27fc6..a79141172 100644
--- a/crates/fetch_tls/src/native_tls.rs
+++ b/crates/fetch_tls/src/native_tls.rs
@@ -39,8 +39,11 @@ impl NativeTlsOptions {
             .min_protocol_version(Some(native_tls::Protocol::Tlsv12));
 
         if let Some(identity) = shared.client_identity.as_ref() {
-            identity.build_native_identity()
-                .map(|i| { builder.identity(i); })
+            identity
+                .build_native_identity()
+                .map(|i| {
+                    builder.identity(i);
+                })
                 .map_err(BackendError::caused_by)?;
         }
 
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index 560e7a99c..7ffbdf958 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -196,7 +196,7 @@ impl Debug for ServerCertVerifierFactory {
 #[cfg_attr(coverage_nightly, coverage(off))]
 mod tests {
     use insta::assert_debug_snapshot;
-use rustls::crypto::aws_lc_rs;
+    use rustls::crypto::aws_lc_rs;
 
     use super::*;
     use crate::backend::RustlsDefaults;

From a85ec96b7143d278f8068b3df0dfcc8918bec57f Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sat, 30 May 2026 18:04:29 +0200
Subject: [PATCH 23/30] Update Cargo.lock

---
 Cargo.lock | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 13d6d36ee..fa0e35030 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -277,12 +277,13 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
 [[package]]
-name = "bincode"
-version = "1.3.3"
+name = "bincode-next"
+version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1f45e9417d87227c7a56d22e471c6206462cba514c7590c09aff4cf6d1ddcad"
+checksum = "dbe9e7e6d14aeb39557f226bff158a30e367fac279d0e69b8b42fb41999f9a86"
 dependencies = [
  "serde",
+ "unty-next",
 ]
 
 [[package]]
@@ -471,7 +472,7 @@ dependencies = [
 
 [[package]]
 name = "cachet"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "alloc_tracker",
  "anyspawn",
@@ -504,7 +505,7 @@ dependencies = [
 
 [[package]]
 name = "cachet_memory"
-version = "0.2.0"
+version = "0.2.1"
 dependencies = [
  "cachet_tier",
  "criterion",
@@ -1344,11 +1345,11 @@ checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 
 [[package]]
 name = "gungraun"
-version = "0.18.2"
+version = "0.19.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3bfa183cef2c88324b20de9727befd262c35592d9885ffd93b8b102536a81cf2"
+checksum = "7e4d8da7e495043e7050236881e37c8c7cbd896a8674c2fa49b13f2ff8c9505b"
 dependencies = [
- "bincode",
+ "bincode-next",
  "derive_more",
  "gungraun-macros",
  "gungraun-runner",
@@ -1356,9 +1357,9 @@ dependencies = [
 
 [[package]]
 name = "gungraun-macros"
-version = "0.8.0"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e35c7fb6133421db1cf752b7a2838d9277a26810ccaeeca7aa449f96ad7c2b01"
+checksum = "4cc6269e89921872ec32af29af3a992618b9bd2ef47cbf3704af476066cb7182"
 dependencies = [
  "derive_more",
  "proc-macro-error2",
@@ -1372,9 +1373,9 @@ dependencies = [
 
 [[package]]
 name = "gungraun-runner"
-version = "0.18.2"
+version = "0.19.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ebdac6d5fe0aa9d9623d690fbfdb759e0ed44115e0685b9abc4568fe47db364"
+checksum = "d412a9c97a337ee83ab57c8e4e377cee1a519afaebbeb803c696ecd1e93173e2"
 dependencies = [
  "serde",
 ]
@@ -1465,9 +1466,9 @@ checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
 
 [[package]]
 name = "http"
-version = "1.4.0"
+version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
+checksum = "8be7462df143984c4598a256ef469b251d7d7f9e271135073e78fc535414f3d0"
 dependencies = [
  "bytes",
  "itoa",
@@ -3658,6 +3659,12 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
+[[package]]
+name = "unty-next"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fa66022bbd1ab992fad72bdedcfd07a0023b6f5ecc83d50121e39e3a3caed41"
+
 [[package]]
 name = "url"
 version = "2.5.8"

From abbd88445369c132b5ead0a1d393aa4f29fcb607 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sun, 31 May 2026 20:07:55 +0200
Subject: [PATCH 24/30] alpn handling

---
 Cargo.lock                              |  1 +
 crates/fetch_hyper/src/builder.rs       |  8 ++++
 crates/fetch_hyper/src/tls/connector.rs |  4 +-
 crates/fetch_tls/Cargo.toml             |  1 +
 crates/fetch_tls/src/alpn.rs            | 51 ++++++++++++++++++++++
 crates/fetch_tls/src/lib.rs             |  2 +
 crates/fetch_tls/src/native_tls.rs      | 58 +------------------------
 crates/fetch_tls/src/options.rs         |  8 ++++
 crates/fetch_tls/src/rustls.rs          | 29 +++++++++++--
 9 files changed, 101 insertions(+), 61 deletions(-)
 create mode 100644 crates/fetch_tls/src/alpn.rs

diff --git a/Cargo.lock b/Cargo.lock
index fa0e35030..de36ad1ea 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1084,6 +1084,7 @@ dependencies = [
  "mutants",
  "native-tls",
  "ohno 0.3.2",
+ "rstest",
  "rustls",
  "rustls-pki-types",
 ]
diff --git a/crates/fetch_hyper/src/builder.rs b/crates/fetch_hyper/src/builder.rs
index 1b414ab0b..99cce22e6 100644
--- a/crates/fetch_hyper/src/builder.rs
+++ b/crates/fetch_hyper/src/builder.rs
@@ -200,8 +200,16 @@ where
     }
 
     /// Sets the negotiable HTTP versions for outgoing requests.
+    ///
+    /// # Panics
+    ///
+    /// Panics if `versions` is empty.
     #[must_use]
     pub fn supported_http_versions(mut self, versions: &[Version]) -> Self {
+        assert!(
+            !versions.is_empty(),
+            "supported_http_versions cannot be empty; configure at least one HTTP version (for example HTTP/1.1 or HTTP/2)"
+        );
         self.supported_http_versions = versions.to_vec();
         self
     }
diff --git a/crates/fetch_hyper/src/tls/connector.rs b/crates/fetch_hyper/src/tls/connector.rs
index be0b49ac3..c8f835a26 100644
--- a/crates/fetch_hyper/src/tls/connector.rs
+++ b/crates/fetch_hyper/src/tls/connector.rs
@@ -83,7 +83,7 @@ where
 #[cfg(any(feature = "rustls", test))]
 #[cfg_attr(test, mutants::skip)]
 fn build_rustls_connector<C, S>(
-    config: rustls::ClientConfig,
+    mut config: rustls::ClientConfig,
     connector: C,
     request_filter: RequestFilter,
     supported_versions: &[Version],
@@ -92,6 +92,8 @@ where
     C: Connect<S>,
     S: HyperIo,
 {
+    // hyper-rustls expects ALPN to be configured via enable_http1/enable_http2.
+    config.alpn_protocols.clear();
     let builder = hyper_rustls::HttpsConnectorBuilder::new().with_tls_config(config);
 
     let builder = match request_filter {
diff --git a/crates/fetch_tls/Cargo.toml b/crates/fetch_tls/Cargo.toml
index 9cc08f853..b0c54c9a4 100644
--- a/crates/fetch_tls/Cargo.toml
+++ b/crates/fetch_tls/Cargo.toml
@@ -59,6 +59,7 @@ rustls-pki-types = { workspace = true, features = ["alloc", "std"] }
 insta.workspace = true
 mutants = { workspace = true }
 native-tls = { workspace = true, features = ["alpn"] }
+rstest.workspace = true
 # Test code unconditionally references both backends; pull them in as
 # dev-dependencies so `cargo test` works with no features enabled.
 rustls = { workspace = true, features = ["tls12", "std", "aws-lc-rs"], default-features = false }
diff --git a/crates/fetch_tls/src/alpn.rs b/crates/fetch_tls/src/alpn.rs
new file mode 100644
index 000000000..c696b9ac2
--- /dev/null
+++ b/crates/fetch_tls/src/alpn.rs
@@ -0,0 +1,51 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! ALPN protocol mapping from supported HTTP versions.
+
+use http::Version;
+
+const HTTP_11_ALPN: &str = "http/1.1";
+const HTTP_2_ALPN: &str = "h2";
+
+/// Maps configured HTTP versions to the advertised ALPN identifiers.
+pub(crate) fn map_to_alpn(versions: &[Version]) -> &[&str] {
+    let http1 = supports_http1(versions);
+    let http2 = supports_http2(versions);
+    if http2 && http1 {
+        &[HTTP_2_ALPN, HTTP_11_ALPN]
+    } else if http2 {
+        &[HTTP_2_ALPN]
+    } else if http1 {
+        &[HTTP_11_ALPN]
+    } else {
+        &[]
+    }
+}
+
+fn supports_http1(versions: &[Version]) -> bool {
+    versions.contains(&Version::HTTP_11) || versions.contains(&Version::HTTP_10)
+}
+
+fn supports_http2(versions: &[Version]) -> bool {
+    versions.contains(&Version::HTTP_2)
+}
+
+#[cfg(test)]
+#[cfg_attr(coverage_nightly, coverage(off))]
+mod tests {
+    use super::*;
+    use rstest::rstest;
+
+    #[rstest]
+    #[case(&[Version::HTTP_11, Version::HTTP_2], &["h2", "http/1.1"])]
+    #[case(&[Version::HTTP_2], &["h2"])]
+    #[case(&[Version::HTTP_11], &["http/1.1"])]
+    #[case(&[Version::HTTP_10], &["http/1.1"])]
+    #[case(&[], &[])]
+    #[case(&[Version::HTTP_3], &[])]
+    #[case(&[Version::HTTP_10, Version::HTTP_2], &["h2", "http/1.1"])]
+    fn map_to_alpn(#[case] versions: &[Version], #[case] expected_str: &[&str]) {
+        assert_eq!(super::map_to_alpn(versions), expected_str);
+    }
+}
diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index b66a4f1dc..1c372e017 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -66,6 +66,8 @@
 
 mod backend;
 mod options;
+#[cfg(any(feature = "native-tls", feature = "rustls", test))]
+mod alpn;
 
 pub use backend::{BackendError, TlsBackend, TlsBackendDefaults};
 pub use options::{TlsOptions, TlsOptionsBuilder};
diff --git a/crates/fetch_tls/src/native_tls.rs b/crates/fetch_tls/src/native_tls.rs
index a79141172..15c9e7fff 100644
--- a/crates/fetch_tls/src/native_tls.rs
+++ b/crates/fetch_tls/src/native_tls.rs
@@ -3,17 +3,12 @@
 
 //! Platform native TLS backend configuration and builder integration.
 
-use http::Version;
 use native_tls::TlsConnector;
 
+use crate::alpn::map_to_alpn;
 use crate::backend::BackendError;
 use crate::options::{SharedOptions, TlsOptions, TlsOptionsBuilder, TlsOptionsKind};
 
-// Application-Layer Protocol Negotiation identifiers; see
-// <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>.
-const HTTP_11_ALPN: &str = "http/1.1";
-const HTTP_2_ALPN: &str = "h2";
-
 /// Platform native TLS backend.
 #[derive(Clone)]
 #[non_exhaustive]
@@ -51,20 +46,6 @@ impl NativeTlsOptions {
     }
 }
 
-fn map_to_alpn(versions: &[Version]) -> &[&str] {
-    let http1 = versions.contains(&Version::HTTP_11) || versions.contains(&Version::HTTP_10);
-    let http2 = versions.contains(&Version::HTTP_2);
-    if http2 && http1 {
-        &[HTTP_2_ALPN, HTTP_11_ALPN]
-    } else if http2 {
-        &[HTTP_2_ALPN]
-    } else if http1 {
-        &[HTTP_11_ALPN]
-    } else {
-        &[]
-    }
-}
-
 impl TlsOptions {
     /// Creates a builder for the platform native TLS backend.
     pub fn builder_native_tls() -> TlsOptionsBuilder<NativeTlsOptions> {
@@ -153,43 +134,6 @@ mod tests {
         NativeTlsOptions::new().build(&SharedOptions::default()).unwrap();
     }
 
-    #[test]
-    fn map_to_alpn_http1_and_http2() {
-        assert_eq!(map_to_alpn(&[Version::HTTP_11, Version::HTTP_2]), &["h2", "http/1.1"]);
-    }
-
-    #[test]
-    fn map_to_alpn_http2_only() {
-        assert_eq!(map_to_alpn(&[Version::HTTP_2]), &["h2"]);
-    }
-
-    #[test]
-    fn map_to_alpn_http11_only() {
-        assert_eq!(map_to_alpn(&[Version::HTTP_11]), &["http/1.1"]);
-    }
-
-    #[test]
-    fn map_to_alpn_http10_aliases_to_http1() {
-        assert_eq!(map_to_alpn(&[Version::HTTP_10]), &["http/1.1"]);
-    }
-
-    #[test]
-    fn map_to_alpn_empty() {
-        let empty: &[&str] = &[];
-        assert_eq!(map_to_alpn(&[]), empty);
-    }
-
-    #[test]
-    fn map_to_alpn_http3_only_is_empty() {
-        let empty: &[&str] = &[];
-        assert_eq!(map_to_alpn(&[Version::HTTP_3]), empty);
-    }
-
-    #[test]
-    fn map_to_alpn_http10_and_http2() {
-        assert_eq!(map_to_alpn(&[Version::HTTP_10, Version::HTTP_2]), &["h2", "http/1.1"]);
-    }
-
     #[test]
     fn debug_renders_presence_only() {
         let s = format!("{:?}", NativeTlsOptions::new());
diff --git a/crates/fetch_tls/src/options.rs b/crates/fetch_tls/src/options.rs
index caa09c450..878658aa9 100644
--- a/crates/fetch_tls/src/options.rs
+++ b/crates/fetch_tls/src/options.rs
@@ -206,7 +206,15 @@ impl<B> TlsOptionsBuilder<B> {
     /// Sets the HTTP versions the client intends to negotiate.
     ///
     /// Backends derive the advertised `ALPN` protocols from this list.
+    ///
+    /// # Panics
+    ///
+    /// Panics if `versions` is empty.
     pub fn supported_http_versions(mut self, versions: &[Version]) -> Self {
+        assert!(
+            !versions.is_empty(),
+            "supported_http_versions cannot be empty; configure at least one HTTP version (for example HTTP/1.1 or HTTP/2)"
+        );
         self.shared.supported_http_versions = versions.to_vec();
         self
     }
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index 7ffbdf958..706de1522 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -11,6 +11,7 @@ use rustls::client::ResolvesClientCert;
 use rustls::client::danger::ServerCertVerifier;
 use rustls::crypto::CryptoProvider;
 
+use crate::alpn::map_to_alpn;
 use crate::backend::BackendError;
 use crate::options::{SharedOptions, TlsOptions, TlsOptionsBuilder, TlsOptionsKind};
 
@@ -60,13 +61,18 @@ impl RustlsOptions {
             .dangerous()
             .with_custom_certificate_verifier(verifier);
 
-        match (self.client_identity_resolver, shared.client_identity.as_ref()) {
+        let mut config = match (self.client_identity_resolver, shared.client_identity.as_ref()) {
             (Some(resolver), _) => Ok(builder.with_client_cert_resolver(resolver)),
             (None, Some(identity)) => builder
                 .with_client_auth_cert(identity.cert_chain().to_vec(), identity.private_key().clone_key())
                 .map_err(BackendError::caused_by),
             (None, None) => Ok(builder.with_no_client_auth()),
-        }
+        }?;
+        config.alpn_protocols = map_to_alpn(&shared.supported_http_versions)
+            .iter()
+            .map(|version| version.as_bytes().to_vec())
+            .collect();
+        Ok(config)
     }
 }
 
@@ -300,7 +306,24 @@ mod tests {
             verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: None,
         };
-        rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
+        let config = rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
+        assert_eq!(config.alpn_protocols, vec![b"h2".to_vec(), b"http/1.1".to_vec()]);
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn build_sets_alpn_from_supported_versions() {
+        let rustls_backend = RustlsOptions {
+            crypto_provider: None,
+            verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
+            client_identity_resolver: None,
+        };
+        let shared = SharedOptions {
+            supported_http_versions: vec![http::Version::HTTP_11],
+            client_identity: None,
+        };
+        let config = rustls_backend.build(Some(&defaults()), &shared).unwrap();
+        assert_eq!(config.alpn_protocols, vec![b"http/1.1".to_vec()]);
     }
 
     #[test]

From b89eaf8cd7dcfeacc7ec0bd78bd70829f6d7c6d7 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sun, 31 May 2026 21:05:40 +0200
Subject: [PATCH 25/30] fixes

---
 crates/fetch_tls/src/lib.rs     |  4 ++--
 crates/fetch_tls/src/options.rs | 28 ++++++++--------------------
 2 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/crates/fetch_tls/src/lib.rs b/crates/fetch_tls/src/lib.rs
index 1c372e017..3354f1167 100644
--- a/crates/fetch_tls/src/lib.rs
+++ b/crates/fetch_tls/src/lib.rs
@@ -64,10 +64,10 @@
 //! With neither feature enabled, [`TlsOptions::default`] still constructs
 //! but [`TlsOptions::build_backend`] returns a [`BackendError`].
 
-mod backend;
-mod options;
 #[cfg(any(feature = "native-tls", feature = "rustls", test))]
 mod alpn;
+mod backend;
+mod options;
 
 pub use backend::{BackendError, TlsBackend, TlsBackendDefaults};
 pub use options::{TlsOptions, TlsOptionsBuilder};
diff --git a/crates/fetch_tls/src/options.rs b/crates/fetch_tls/src/options.rs
index 878658aa9..7a0b1e5a9 100644
--- a/crates/fetch_tls/src/options.rs
+++ b/crates/fetch_tls/src/options.rs
@@ -81,11 +81,6 @@ pub(crate) enum TlsOptionsKind {
 #[derive(Debug, Clone)]
 #[must_use]
 pub struct TlsOptions {
-    #[allow(
-        clippy::allow_attributes,
-        dead_code,
-        reason = "consumed by downstream HTTP client crates that materialize a TlsBackend from TlsOptions"
-    )]
     pub(crate) inner: TlsOptionsKind,
     pub(crate) shared: SharedOptions,
 }
@@ -106,13 +101,6 @@ impl Default for SharedOptions {
 }
 
 impl TlsOptions {
-    /// HTTP versions the caller intends to negotiate. Backends use this list
-    /// to compute the `ALPN` protocols offered during the TLS handshake.
-    #[must_use]
-    pub fn supported_http_versions(&self) -> &[Version] {
-        &self.shared.supported_http_versions
-    }
-
     /// Materializes these options into a [`TlsBackend`] using `defaults`.
     ///
     /// - auto — selected by [`TlsOptions::default`]; the backend is chosen
@@ -252,6 +240,14 @@ mod tests {
         assert!(matches!(tls.inner, TlsOptionsKind::Auto));
     }
 
+    #[test]
+    fn supported_http_versions_panics_when_empty() {
+        let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+            let _ = TlsOptions::builder_rustls().supported_http_versions(&[]);
+        }));
+        assert!(result.is_err());
+    }
+
     #[test]
     #[cfg_attr(miri, ignore)]
     fn auto_without_default_backend_returns_error() {
@@ -262,14 +258,6 @@ mod tests {
         assert!(msg.contains("no default TLS backend"), "unexpected error: {msg}");
     }
 
-    #[test]
-    fn supported_http_versions_round_trips() {
-        let tls = TlsOptions::builder_rustls()
-            .supported_http_versions(&[Version::HTTP_11, Version::HTTP_2])
-            .build();
-        assert_eq!(tls.supported_http_versions(), &[Version::HTTP_11, Version::HTTP_2]);
-    }
-
     fn rustls_defaults() -> TlsBackendDefaults {
         TlsBackendDefaults::new().configure_rustls(Arc::new(aws_lc_rs::default_provider()), Arc::new(AcceptAll))
     }

From 2303d9069519c741fc93e3e4b240550cb528088a Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sun, 31 May 2026 21:08:09 +0200
Subject: [PATCH 26/30] Update alpn.rs

---
 crates/fetch_tls/src/alpn.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crates/fetch_tls/src/alpn.rs b/crates/fetch_tls/src/alpn.rs
index c696b9ac2..5c6b5521e 100644
--- a/crates/fetch_tls/src/alpn.rs
+++ b/crates/fetch_tls/src/alpn.rs
@@ -34,9 +34,10 @@ fn supports_http2(versions: &[Version]) -> bool {
 #[cfg(test)]
 #[cfg_attr(coverage_nightly, coverage(off))]
 mod tests {
-    use super::*;
     use rstest::rstest;
 
+    use super::*;
+
     #[rstest]
     #[case(&[Version::HTTP_11, Version::HTTP_2], &["h2", "http/1.1"])]
     #[case(&[Version::HTTP_2], &["h2"])]

From e91bd7b366393d7e707f37046133e90d48e04722 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Sun, 31 May 2026 21:16:29 +0200
Subject: [PATCH 27/30] Update options.rs

---
 crates/fetch_tls/src/options.rs | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/crates/fetch_tls/src/options.rs b/crates/fetch_tls/src/options.rs
index 7a0b1e5a9..0fdb1d52a 100644
--- a/crates/fetch_tls/src/options.rs
+++ b/crates/fetch_tls/src/options.rs
@@ -138,6 +138,7 @@ impl TlsOptions {
     #[allow(
         clippy::allow_attributes,
         clippy::unused_self,
+        clippy::no_effect_underscore_binding,
         reason = "self.shared is used by feature-gated arms; with neither rustls nor native-tls enabled only Unselected is reachable"
     )]
     fn build_auto_backend(self, defaults: &TlsBackendDefaults) -> Result<TlsBackend, BackendError> {
@@ -152,9 +153,14 @@ impl TlsOptions {
                 let connector = super::native_tls::NativeTlsOptions::new().build(&self.shared)?;
                 Ok(TlsBackend::NativeTls(connector))
             }
-            DefaultBackend::Unselected => Err(BackendError::caused_by(
-                "no default TLS backend is configured on TlsBackendDefaults; call defaults_to_rustls() / defaults_to_native_tls() (or configure_rustls(), which implies rustls), or construct TlsOptions via one of its builders",
-            )),
+            DefaultBackend::Unselected => {
+                // use the shared options
+                let _shared = self.shared;
+
+                Err(BackendError::caused_by(
+                    "no default TLS backend is configured on TlsBackendDefaults; call defaults_to_rustls() / defaults_to_native_tls() (or configure_rustls(), which implies rustls), or construct TlsOptions via one of its builders",
+                ))
+            }
         }
     }
 }

From b16bc8f4291034cec89f1c9e01a1141f88152893 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 1 Jun 2026 14:12:56 +0200
Subject: [PATCH 28/30] improvements

---
 crates/fetch_tls/src/backend.rs    | 66 ++++++++++++++++++++++--
 crates/fetch_tls/src/native_tls.rs |  9 ++--
 crates/fetch_tls/src/options.rs    | 45 ++++++++++------
 crates/fetch_tls/src/rustls.rs     | 82 ++++++++++++++++++++----------
 4 files changed, 153 insertions(+), 49 deletions(-)

diff --git a/crates/fetch_tls/src/backend.rs b/crates/fetch_tls/src/backend.rs
index 639f5ff74..81e7ecc94 100644
--- a/crates/fetch_tls/src/backend.rs
+++ b/crates/fetch_tls/src/backend.rs
@@ -3,6 +3,8 @@
 
 //! Fully constructed TLS backends ready for use by an HTTP client.
 
+use http::Version;
+
 /// Error returned when materializing a [`TlsBackend`] from
 /// [`TlsOptions`](super::TlsOptions) fails.
 #[ohno::error]
@@ -43,9 +45,12 @@ pub enum TlsBackend {
 /// own setter; native-tls and pre-configured backends do not consult
 /// these defaults.
 ///
-/// In addition to backend-specific defaults, `TlsBackendDefaults` carries
-/// the *default backend selection* used by [`TlsOptions::default`](super::TlsOptions::default) (and
-/// any other [`TlsOptions`](super::TlsOptions) that did not pin a backend).
+/// In addition to backend-specific defaults, `TlsBackendDefaults` carries:
+/// - the *default backend selection* used by [`TlsOptions::default`](super::TlsOptions::default) (and
+///   any other [`TlsOptions`](super::TlsOptions) that did not pin a backend), and
+/// - the default supported HTTP versions used when
+///   [`TlsOptionsBuilder::supported_http_versions`](super::TlsOptionsBuilder::supported_http_versions)
+///   was not called.
 /// Use [`TlsBackendDefaults::defaults_to_rustls`] or
 /// [`TlsBackendDefaults::defaults_to_native_tls`] to set it explicitly;
 /// [`TlsBackendDefaults::configure_rustls`] implicitly sets it to rustls if
@@ -54,12 +59,13 @@ pub enum TlsBackend {
 /// Use [`TlsBackendDefaults::new`] when no backend-specific state is
 /// required. Building a rustls backend without
 /// [`TlsBackendDefaults::configure_rustls`] returns a [`BackendError`].
-#[derive(Clone, Default, Debug)]
+#[derive(Clone, Debug)]
 pub struct TlsBackendDefaults {
     #[cfg(any(feature = "rustls", test))]
     pub(crate) rustls: Option<RustlsDefaults>,
 
     pub(crate) default: DefaultBackend,
+    pub(crate) supported_http_versions: Vec<Version>,
 }
 
 /// Environment-supplied defaults specific to the rustls backend.
@@ -80,6 +86,22 @@ impl TlsBackendDefaults {
         Self::default()
     }
 
+    /// Sets default HTTP versions used when [`TlsOptionsBuilder::supported_http_versions`](super::TlsOptionsBuilder::supported_http_versions)
+    /// was not called.
+    ///
+    /// # Panics
+    ///
+    /// Panics if `versions` is empty.
+    #[must_use]
+    pub fn supported_http_versions(mut self, versions: &[Version]) -> Self {
+        assert!(
+            !versions.is_empty(),
+            "supported_http_versions cannot be empty; configure at least one HTTP version (for example HTTP/1.1 or HTTP/2)"
+        );
+        self.supported_http_versions = versions.to_vec();
+        self
+    }
+
     /// Configures the rustls crypto provider and a fallback server certificate verifier.
     ///
     /// The verifier is used only when the caller did not configure one via
@@ -131,6 +153,17 @@ impl TlsBackendDefaults {
     }
 }
 
+impl Default for TlsBackendDefaults {
+    fn default() -> Self {
+        Self {
+            #[cfg(any(feature = "rustls", test))]
+            rustls: None,
+            default: DefaultBackend::Unselected,
+            supported_http_versions: vec![Version::HTTP_11, Version::HTTP_2],
+        }
+    }
+}
+
 #[cfg(any(feature = "rustls", test))]
 impl From<::rustls::ClientConfig> for TlsBackend {
     fn from(config: ::rustls::ClientConfig) -> Self {
@@ -166,3 +199,28 @@ pub(crate) enum DefaultBackend {
     #[cfg(any(feature = "native-tls", test))]
     NativeTls,
 }
+
+#[cfg(test)]
+#[cfg_attr(coverage_nightly, coverage(off))]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn default_supported_http_versions_is_http1_and_http2() {
+        let defaults = TlsBackendDefaults::new();
+        assert_eq!(defaults.supported_http_versions, vec![Version::HTTP_11, Version::HTTP_2]);
+    }
+
+    #[test]
+    fn supported_http_versions_overrides_defaults() {
+        let defaults = TlsBackendDefaults::new().supported_http_versions(&[Version::HTTP_11]);
+        assert_eq!(defaults.supported_http_versions, vec![Version::HTTP_11]);
+    }
+
+    #[test]
+    fn tls_backend_defaults_is_cloneable() {
+        let defaults = TlsBackendDefaults::new().supported_http_versions(&[Version::HTTP_2]);
+        let clone = defaults.clone();
+        assert_eq!(clone.supported_http_versions, vec![Version::HTTP_2]);
+    }
+}
diff --git a/crates/fetch_tls/src/native_tls.rs b/crates/fetch_tls/src/native_tls.rs
index 15c9e7fff..dfa8512ae 100644
--- a/crates/fetch_tls/src/native_tls.rs
+++ b/crates/fetch_tls/src/native_tls.rs
@@ -5,6 +5,7 @@
 
 use native_tls::TlsConnector;
 
+use crate::TlsBackendDefaults;
 use crate::alpn::map_to_alpn;
 use crate::backend::BackendError;
 use crate::options::{SharedOptions, TlsOptions, TlsOptionsBuilder, TlsOptionsKind};
@@ -27,10 +28,10 @@ impl NativeTlsOptions {
 
     /// Materializes this configuration into a [`native_tls::TlsConnector`].
     #[expect(clippy::unused_self, reason = "method takes self for symmetry with RustlsOptions::build")]
-    pub(crate) fn build(self, shared: &SharedOptions) -> Result<TlsConnector, BackendError> {
+    pub(crate) fn build(self, defaults: &TlsBackendDefaults, shared: &SharedOptions) -> Result<TlsConnector, BackendError> {
         let mut builder = native_tls::TlsConnector::builder();
         builder
-            .request_alpns(map_to_alpn(&shared.supported_http_versions))
+            .request_alpns(map_to_alpn(shared.resolved_supported_http_versions(defaults)))
             .min_protocol_version(Some(native_tls::Protocol::Tlsv12));
 
         if let Some(identity) = shared.client_identity.as_ref() {
@@ -131,7 +132,9 @@ mod tests {
     #[test]
     #[cfg_attr(miri, ignore)]
     fn build_produces_tls_connector() {
-        NativeTlsOptions::new().build(&SharedOptions::default()).unwrap();
+        NativeTlsOptions::new()
+            .build(&crate::TlsBackendDefaults::new(), &SharedOptions::default())
+            .unwrap();
     }
 
     #[test]
diff --git a/crates/fetch_tls/src/options.rs b/crates/fetch_tls/src/options.rs
index 0fdb1d52a..42a45bd97 100644
--- a/crates/fetch_tls/src/options.rs
+++ b/crates/fetch_tls/src/options.rs
@@ -85,18 +85,22 @@ pub struct TlsOptions {
     pub(crate) shared: SharedOptions,
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, Default)]
 pub(crate) struct SharedOptions {
-    pub(crate) supported_http_versions: Vec<Version>,
+    pub(crate) supported_http_versions: Option<Vec<Version>>,
     pub(crate) client_identity: Option<ClientIdentity>,
 }
 
-impl Default for SharedOptions {
-    fn default() -> Self {
-        Self {
-            supported_http_versions: vec![Version::HTTP_11, Version::HTTP_2],
-            client_identity: None,
-        }
+impl SharedOptions {
+    #[allow(
+        clippy::allow_attributes,
+        dead_code,
+        reason = "used by feature-gated backend builders; can be unused in builds without rustls/native-tls"
+    )]
+    pub(crate) fn resolved_supported_http_versions<'a>(&'a self, defaults: &'a TlsBackendDefaults) -> &'a [Version] {
+        self.supported_http_versions
+            .as_deref()
+            .unwrap_or(defaults.supported_http_versions.as_slice())
     }
 }
 
@@ -124,12 +128,12 @@ impl TlsOptions {
             TlsOptionsKind::PreConfigured(backend) => Ok(backend),
             #[cfg(any(feature = "rustls", test))]
             TlsOptionsKind::Rustls(rustls_backend) => {
-                let config = rustls_backend.build(defaults.rustls.as_ref(), &self.shared)?;
+                let config = rustls_backend.build(defaults, &self.shared)?;
                 Ok(TlsBackend::Rustls(std::sync::Arc::new(config)))
             }
             #[cfg(any(feature = "native-tls", test))]
             TlsOptionsKind::NativeTls(native_backend) => {
-                let connector = native_backend.build(&self.shared)?;
+                let connector = native_backend.build(defaults, &self.shared)?;
                 Ok(TlsBackend::NativeTls(connector))
             }
         }
@@ -145,12 +149,12 @@ impl TlsOptions {
         match defaults.default {
             #[cfg(any(feature = "rustls", test))]
             DefaultBackend::Rustls => {
-                let config = super::rustls::RustlsOptions::new().build(defaults.rustls.as_ref(), &self.shared)?;
+                let config = super::rustls::RustlsOptions::new().build(defaults, &self.shared)?;
                 Ok(TlsBackend::Rustls(std::sync::Arc::new(config)))
             }
             #[cfg(any(feature = "native-tls", test))]
             DefaultBackend::NativeTls => {
-                let connector = super::native_tls::NativeTlsOptions::new().build(&self.shared)?;
+                let connector = super::native_tls::NativeTlsOptions::new().build(defaults, &self.shared)?;
                 Ok(TlsBackend::NativeTls(connector))
             }
             DefaultBackend::Unselected => {
@@ -209,7 +213,7 @@ impl<B> TlsOptionsBuilder<B> {
             !versions.is_empty(),
             "supported_http_versions cannot be empty; configure at least one HTTP version (for example HTTP/1.1 or HTTP/2)"
         );
-        self.shared.supported_http_versions = versions.to_vec();
+        self.shared.supported_http_versions = Some(versions.to_vec());
         self
     }
 
@@ -235,9 +239,20 @@ mod tests {
     use crate::testing::AcceptAllServerCertVerifier as AcceptAll;
 
     #[test]
-    fn default_supported_http_versions_is_http1_and_http2() {
+    fn default_supported_http_versions_is_not_set() {
         let shared = SharedOptions::default();
-        assert_eq!(shared.supported_http_versions, vec![Version::HTTP_11, Version::HTTP_2]);
+        assert!(shared.supported_http_versions.is_none());
+    }
+
+    #[test]
+    fn resolved_supported_http_versions_falls_back_to_backend_defaults() {
+        let shared = SharedOptions::default();
+        let defaults = TlsBackendDefaults::new();
+
+        assert_eq!(
+            shared.resolved_supported_http_versions(&defaults),
+            [Version::HTTP_11, Version::HTTP_2]
+        );
     }
 
     #[test]
diff --git a/crates/fetch_tls/src/rustls.rs b/crates/fetch_tls/src/rustls.rs
index 706de1522..dc0479603 100644
--- a/crates/fetch_tls/src/rustls.rs
+++ b/crates/fetch_tls/src/rustls.rs
@@ -33,14 +33,11 @@ impl RustlsOptions {
     }
 
     /// Materializes this configuration into a [`rustls::ClientConfig`].
-    pub(crate) fn build(
-        self,
-        defaults: Option<&crate::backend::RustlsDefaults>,
-        shared: &SharedOptions,
-    ) -> Result<ClientConfig, BackendError> {
+    pub(crate) fn build(self, backend_defaults: &crate::TlsBackendDefaults, shared: &SharedOptions) -> Result<ClientConfig, BackendError> {
+        let rustls_defaults = backend_defaults.rustls.as_ref();
         let crypto_provider = self
             .crypto_provider
-            .or_else(|| defaults.map(|d| Arc::clone(&d.crypto_provider)))
+            .or_else(|| rustls_defaults.map(|d| Arc::clone(&d.crypto_provider)))
             .ok_or_else(|| {
                 BackendError::caused_by(
                     "rustls crypto provider not supplied; set it via TlsOptionsBuilder::crypto_provider or TlsBackendDefaults::configure_rustls(...)",
@@ -48,7 +45,7 @@ impl RustlsOptions {
             })?;
         let verifier = match self.verifier_factory {
             Some(factory) => factory.invoke(Arc::clone(&crypto_provider)),
-            None => defaults.map(|d| Arc::clone(&d.verifier)).ok_or_else(|| {
+            None => rustls_defaults.map(|d| Arc::clone(&d.verifier)).ok_or_else(|| {
                 BackendError::caused_by(
                     "rustls server certificate verifier not supplied; set it via TlsOptionsBuilder::server_certificate_verifier or TlsBackendDefaults::configure_rustls(...)",
                 )
@@ -68,7 +65,7 @@ impl RustlsOptions {
                 .map_err(BackendError::caused_by),
             (None, None) => Ok(builder.with_no_client_auth()),
         }?;
-        config.alpn_protocols = map_to_alpn(&shared.supported_http_versions)
+        config.alpn_protocols = map_to_alpn(shared.resolved_supported_http_versions(backend_defaults))
             .iter()
             .map(|version| version.as_bytes().to_vec())
             .collect();
@@ -205,7 +202,6 @@ mod tests {
     use rustls::crypto::aws_lc_rs;
 
     use super::*;
-    use crate::backend::RustlsDefaults;
     use crate::client_identity::ClientIdentity;
     use crate::testing::{AcceptAllServerCertVerifier as AcceptAll, NoClientCertResolver as StubResolver};
 
@@ -213,13 +209,6 @@ mod tests {
         Arc::new(aws_lc_rs::default_provider())
     }
 
-    fn defaults() -> RustlsDefaults {
-        RustlsDefaults {
-            crypto_provider: provider(),
-            verifier: Arc::new(AcceptAll),
-        }
-    }
-
     fn shared_with(identity: Option<ClientIdentity>) -> SharedOptions {
         SharedOptions {
             client_identity: identity,
@@ -263,7 +252,7 @@ mod tests {
             })),
             client_identity_resolver: None,
         };
-        rustls_backend.build(None, &shared_with(None)).unwrap();
+        rustls_backend.build(&crate::TlsBackendDefaults::new(), &shared_with(None)).unwrap();
         assert!(CALLED.load(Ordering::SeqCst));
     }
 
@@ -306,7 +295,12 @@ mod tests {
             verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: None,
         };
-        let config = rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
+        let config = rustls_backend
+            .build(
+                &crate::TlsBackendDefaults::new().configure_rustls(provider(), Arc::new(AcceptAll)),
+                &shared_with(None),
+            )
+            .unwrap();
         assert_eq!(config.alpn_protocols, vec![b"h2".to_vec(), b"http/1.1".to_vec()]);
     }
 
@@ -319,10 +313,15 @@ mod tests {
             client_identity_resolver: None,
         };
         let shared = SharedOptions {
-            supported_http_versions: vec![http::Version::HTTP_11],
+            supported_http_versions: Some(vec![http::Version::HTTP_11]),
             client_identity: None,
         };
-        let config = rustls_backend.build(Some(&defaults()), &shared).unwrap();
+        let config = rustls_backend
+            .build(
+                &crate::TlsBackendDefaults::new().configure_rustls(provider(), Arc::new(AcceptAll)),
+                &shared,
+            )
+            .unwrap();
         assert_eq!(config.alpn_protocols, vec![b"http/1.1".to_vec()]);
     }
 
@@ -335,7 +334,12 @@ mod tests {
             verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: None,
         };
-        let err = rustls_backend.build(Some(&defaults()), &shared_with(Some(identity))).unwrap_err();
+        let err = rustls_backend
+            .build(
+                &crate::TlsBackendDefaults::new().configure_rustls(provider(), Arc::new(AcceptAll)),
+                &shared_with(Some(identity)),
+            )
+            .unwrap_err();
         // Surface a debug-format check so we know the underlying rustls error is wrapped.
         let msg = format!("{err}");
         assert!(!msg.is_empty());
@@ -344,12 +348,19 @@ mod tests {
     #[test]
     #[cfg_attr(miri, ignore)]
     fn build_falls_back_to_default_verifier() {
-        RustlsOptions::new().build(Some(&defaults()), &shared_with(None)).unwrap();
+        RustlsOptions::new()
+            .build(
+                &crate::TlsBackendDefaults::new().configure_rustls(provider(), Arc::new(AcceptAll)),
+                &shared_with(None),
+            )
+            .unwrap();
     }
 
     #[test]
     fn build_without_crypto_provider_returns_error() {
-        let err = RustlsOptions::new().build(None, &shared_with(None)).unwrap_err();
+        let err = RustlsOptions::new()
+            .build(&crate::TlsBackendDefaults::new(), &shared_with(None))
+            .unwrap_err();
         let msg = format!("{err}");
         assert!(msg.contains("crypto provider"), "unexpected error: {msg}");
     }
@@ -362,7 +373,9 @@ mod tests {
             verifier_factory: None,
             client_identity_resolver: None,
         };
-        let err = rustls_backend.build(None, &shared_with(None)).unwrap_err();
+        let err = rustls_backend
+            .build(&crate::TlsBackendDefaults::new(), &shared_with(None))
+            .unwrap_err();
         let msg = format!("{err}");
         assert!(msg.contains("server certificate verifier"), "unexpected error: {msg}");
     }
@@ -375,7 +388,12 @@ mod tests {
             verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: None,
         };
-        rustls_backend.build(None, &shared_with(None)).unwrap();
+        rustls_backend
+            .build(
+                &crate::TlsBackendDefaults::new().configure_rustls(provider(), Arc::new(AcceptAll)),
+                &shared_with(None),
+            )
+            .unwrap();
     }
 
     #[test]
@@ -421,7 +439,12 @@ mod tests {
             verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: Some(Arc::new(StubResolver)),
         };
-        rustls_backend.build(Some(&defaults()), &shared_with(None)).unwrap();
+        rustls_backend
+            .build(
+                &crate::TlsBackendDefaults::new().configure_rustls(provider(), Arc::new(AcceptAll)),
+                &shared_with(None),
+            )
+            .unwrap();
     }
 
     #[test]
@@ -436,7 +459,12 @@ mod tests {
             verifier_factory: Some(ServerCertVerifierFactory::new(|_| Arc::new(AcceptAll))),
             client_identity_resolver: Some(Arc::new(StubResolver)),
         };
-        rustls_backend.build(Some(&defaults()), &shared_with(Some(identity))).unwrap();
+        rustls_backend
+            .build(
+                &crate::TlsBackendDefaults::new().configure_rustls(provider(), Arc::new(AcceptAll)),
+                &shared_with(Some(identity)),
+            )
+            .unwrap();
     }
 
     #[test]

From f7c78bd5267bba9b60adfbc3161c38f5ed35bd64 Mon Sep 17 00:00:00 2001
From: martintomka <martintomka@microsoft.com>
Date: Mon, 1 Jun 2026 14:15:34 +0200
Subject: [PATCH 29/30] cleanup

---
 Cargo.lock                      | 1 +
 crates/fetch_tls/Cargo.toml     | 1 +
 crates/fetch_tls/src/backend.rs | 5 ++---
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index de36ad1ea..9e40ae83d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1087,6 +1087,7 @@ dependencies = [
  "rstest",
  "rustls",
  "rustls-pki-types",
+ "static_assertions",
 ]
 
 [[package]]
diff --git a/crates/fetch_tls/Cargo.toml b/crates/fetch_tls/Cargo.toml
index b0c54c9a4..af46fbcb7 100644
--- a/crates/fetch_tls/Cargo.toml
+++ b/crates/fetch_tls/Cargo.toml
@@ -60,6 +60,7 @@ insta.workspace = true
 mutants = { workspace = true }
 native-tls = { workspace = true, features = ["alpn"] }
 rstest.workspace = true
+static_assertions.workspace = true
 # Test code unconditionally references both backends; pull them in as
 # dev-dependencies so `cargo test` works with no features enabled.
 rustls = { workspace = true, features = ["tls12", "std", "aws-lc-rs"], default-features = false }
diff --git a/crates/fetch_tls/src/backend.rs b/crates/fetch_tls/src/backend.rs
index 81e7ecc94..aa2e90ffd 100644
--- a/crates/fetch_tls/src/backend.rs
+++ b/crates/fetch_tls/src/backend.rs
@@ -51,6 +51,7 @@ pub enum TlsBackend {
 /// - the default supported HTTP versions used when
 ///   [`TlsOptionsBuilder::supported_http_versions`](super::TlsOptionsBuilder::supported_http_versions)
 ///   was not called.
+///
 /// Use [`TlsBackendDefaults::defaults_to_rustls`] or
 /// [`TlsBackendDefaults::defaults_to_native_tls`] to set it explicitly;
 /// [`TlsBackendDefaults::configure_rustls`] implicitly sets it to rustls if
@@ -219,8 +220,6 @@ mod tests {
 
     #[test]
     fn tls_backend_defaults_is_cloneable() {
-        let defaults = TlsBackendDefaults::new().supported_http_versions(&[Version::HTTP_2]);
-        let clone = defaults.clone();
-        assert_eq!(clone.supported_http_versions, vec![Version::HTTP_2]);
+        static_assertions::assert_impl_all!(TlsBackendDefaults: Clone);
     }
 }

From 71a398f0243950f66972ad1d803803f4f0af4de7 Mon Sep 17 00:00:00 2001
From: martintmk <103487740+martintmk@users.noreply.github.com>
Date: Mon, 1 Jun 2026 16:02:45 +0200
Subject: [PATCH 30/30] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 crates/fetch_tls/src/client_identity.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crates/fetch_tls/src/client_identity.rs b/crates/fetch_tls/src/client_identity.rs
index 69f124b35..278601bfc 100644
--- a/crates/fetch_tls/src/client_identity.rs
+++ b/crates/fetch_tls/src/client_identity.rs
@@ -76,11 +76,11 @@ impl ClientIdentity {
     /// `cert_chain` is leaf-first; `key_der` must be a `PKCS#8`-encoded
     /// private key.
     #[must_use]
-    pub fn from_der<I, B>(cert_chain: I, key_der: B) -> Self
+    pub fn from_der<I, C, K>(cert_chain: I, key_der: K) -> Self
     where
-        I: IntoIterator<Item = B>,
-        B: AsRef<[u8]>,
-    {
+        I: IntoIterator<Item = C>,
+        C: AsRef<[u8]>,
+        K: AsRef<[u8]>,
         let cert_chain = cert_chain
             .into_iter()
             .map(|c| rustls_pki_types::CertificateDer::from(c.as_ref().to_vec()))