diff --git a/Cargo.lock b/Cargo.lock
index a0675640e9e7a24e342886238ce6c2505887e8da..ef18182c7ea97c6932f89434591032378c52d449 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -484,9 +484,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.1.13"
+version = "1.1.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72db2f7947ecee9b03b510377e8bb9077afa27176fdbff55c51027e976fdcc48"
+checksum = "50d2eb3cd3d1bf4529e31c215ee6f93ec5a3d536d9f578f93d9d33ee19562932"
 dependencies = [
  "jobserver",
  "libc",
@@ -708,6 +708,7 @@ dependencies = [
  "reqwest",
  "ring",
  "ruma",
+ "rustls 0.23.12",
  "sanitize-filename",
  "serde",
  "serde_json",
@@ -767,6 +768,7 @@ dependencies = [
  "hyper-util",
  "log",
  "ruma",
+ "rustls 0.23.12",
  "sd-notify",
  "sentry",
  "sentry-tower",
@@ -1946,9 +1948,9 @@ dependencies = [
 
 [[package]]
 name = "lazy-regex"
-version = "3.2.0"
+version = "3.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "576c8060ecfdf2e56995cf3274b4f2d71fa5e4fa3607c1c0b63c10180ee58741"
+checksum = "8d8e41c97e6bc7ecb552016274b99fbb5d035e8de288c582d9b933af6677bfda"
 dependencies = [
  "lazy-regex-proc_macros",
  "once_cell",
@@ -1957,9 +1959,9 @@ dependencies = [
 
 [[package]]
 name = "lazy-regex-proc_macros"
-version = "3.2.0"
+version = "3.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9efb9e65d4503df81c615dc33ff07042a9408ac7f26b45abee25566f7fbfd12c"
+checksum = "76e1d8b05d672c53cb9c7b920bbba8783845ae4f0b076e02a3db1d02c81b4163"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2806,9 +2808,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.36"
+version = "1.0.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7"
+checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af"
 dependencies = [
  "proc-macro2",
 ]
@@ -3591,9 +3593,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.125"
+version = "1.0.127"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83c8e735a073ccf5be70aa8066aa984eaf2fa000db6c8d0100ae605b366d31ed"
+checksum = "8043c06d9f82bd7271361ed64f415fe5e12a77fdb52e573e7f06a516dea329ad"
 dependencies = [
  "itoa",
  "memchr",
diff --git a/Cargo.toml b/Cargo.toml
index 304572055606523633523f1c2780dd54e5685efc..a9269d087f77f05da89c099374c8a69acabc8592 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -128,6 +128,9 @@ features = [
     "catch-panic",
 ]
 
+[workspace.dependencies.rustls]
+version = "0.23.12"
+
 [workspace.dependencies.reqwest]
 version = "0.12.7"
 default-features = false
diff --git a/src/core/Cargo.toml b/src/core/Cargo.toml
index f6cd5171b0416dbe7c6ace7ba5f18dcd50a695da..2e2b058137d005e063f7ff841645fe4d723a6bb5 100644
--- a/src/core/Cargo.toml
+++ b/src/core/Cargo.toml
@@ -82,6 +82,7 @@ regex.workspace = true
 reqwest.workspace = true
 ring.workspace = true
 ruma.workspace = true
+rustls.workspace = true
 sanitize-filename.workspace = true
 serde_json.workspace = true
 serde_regex.workspace = true
diff --git a/src/router/Cargo.toml b/src/router/Cargo.toml
index 52535ecfc727ac916989f07943516fd9e97d9943..2f85ffb7713ee4caaa60f0a63a485f47e46a949c 100644
--- a/src/router/Cargo.toml
+++ b/src/router/Cargo.toml
@@ -62,6 +62,7 @@ http.workspace = true
 hyper.workspace = true
 hyper-util.workspace = true
 ruma.workspace = true
+rustls.workspace = true
 sentry.optional = true
 sentry-tower.optional = true
 sentry-tower.workspace = true
diff --git a/src/router/serve/tls.rs b/src/router/serve/tls.rs
index 109e14d87ec5065add59ac96609b14b409655906..174a511f4c8ef3486d7c609ea57d86665e65b5ab 100644
--- a/src/router/serve/tls.rs
+++ b/src/router/serve/tls.rs
@@ -18,6 +18,10 @@ pub(super) async fn serve(
 	let certs = &tls.certs;
 	let key = &tls.key;
 
+	// we use ring for ruma and hashing state, but aws-lc-rs is the new default.
+	// without this, TLS mode will panic.
+	_ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+
 	debug!("Using direct TLS. Certificate path {certs} and certificate private key path {key}",);
 	info!(
 		"Note: It is strongly recommended that you use a reverse proxy instead of running conduwuit directly with TLS."