diff --git a/Cargo.lock b/Cargo.lock
index 6d5c215e..cbcc6370 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -147,9 +147,9 @@ checksum = "9dbc3a507a82b17ba0d98f6ce8fd6954ea0c8152e98009d36a40d8dcc8ce078a"
 
 [[package]]
 name = "asn1-rs"
-version = "0.6.2"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048"
+checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
 dependencies = [
  "asn1-rs-derive",
  "asn1-rs-impl",
@@ -157,15 +157,15 @@ dependencies = [
  "nom 7.1.3",
  "num-traits",
  "rusticata-macros",
- "thiserror 1.0.69",
+ "thiserror 2.0.17",
  "time",
 ]
 
 [[package]]
 name = "asn1-rs-derive"
-version = "0.5.1"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490"
+checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1146,9 +1146,9 @@ dependencies = [
 
 [[package]]
 name = "der-parser"
-version = "9.0.0"
+version = "10.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553"
+checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
 dependencies = [
  "asn1-rs",
  "displaydoc",
@@ -2302,7 +2302,7 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 [[package]]
 name = "lber"
 version = "0.4.3"
-source = "git+https://github.com/matrix-construct/ldap3?rev=7d423314b9dbc66347284e38fc2b78c3d8f3d494#7d423314b9dbc66347284e38fc2b78c3d8f3d494"
+source = "git+https://github.com/matrix-construct/ldap3?rev=fdfbba2bf916b53e5f73cdb1a495ebb649978079#fdfbba2bf916b53e5f73cdb1a495ebb649978079"
 dependencies = [
  "bytes",
  "nom 7.1.3",
@@ -2311,7 +2311,7 @@ dependencies = [
 [[package]]
 name = "ldap3"
 version = "0.11.3"
-source = "git+https://github.com/matrix-construct/ldap3?rev=7d423314b9dbc66347284e38fc2b78c3d8f3d494#7d423314b9dbc66347284e38fc2b78c3d8f3d494"
+source = "git+https://github.com/matrix-construct/ldap3?rev=fdfbba2bf916b53e5f73cdb1a495ebb649978079#fdfbba2bf916b53e5f73cdb1a495ebb649978079"
 dependencies = [
  "async-trait",
  "bytes",
@@ -2322,7 +2322,6 @@ dependencies = [
  "log",
  "nom 7.1.3",
  "percent-encoding",
- "ring",
  "rustls",
  "rustls-native-certs",
  "thiserror 1.0.69",
@@ -2944,9 +2943,9 @@ dependencies = [
 
 [[package]]
 name = "oid-registry"
-version = "0.7.1"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9"
+checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
 dependencies = [
  "asn1-rs",
 ]
@@ -5293,6 +5292,7 @@ dependencies = [
  "regex",
  "reqwest",
  "ruma",
+ "rustls",
  "rustyline-async",
  "serde",
  "serde_json",
@@ -5933,9 +5933,9 @@ checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
 [[package]]
 name = "x509-parser"
-version = "0.16.0"
+version = "0.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69"
+checksum = "eb3e137310115a65136898d2079f003ce33331a6c4b0d51f1531d1be082b6425"
 dependencies = [
  "asn1-rs",
  "data-encoding",
@@ -5944,7 +5944,7 @@ dependencies = [
  "nom 7.1.3",
  "oid-registry",
  "rusticata-macros",
- "thiserror 1.0.69",
+ "thiserror 2.0.17",
  "time",
 ]
 
diff --git a/Cargo.toml b/Cargo.toml
index f880eb33..2d6620ae 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -242,7 +242,7 @@ features = ["use_pem"]
 
 [workspace.dependencies.ldap3]
 git = "https://github.com/matrix-construct/ldap3"
-rev = "7d423314b9dbc66347284e38fc2b78c3d8f3d494"
+rev = "fdfbba2bf916b53e5f73cdb1a495ebb649978079"
 default-features = false
 features = ["sync", "tls-rustls"]
 
@@ -364,7 +364,7 @@ features = [
 [workspace.dependencies.rustls]
 version = "0.23"
 default-features = false
-features = ["aws_lc_rs"]
+features = ["aws_lc_rs", "logging", "tls12", "prefer-post-quantum"]
 
 [workspace.dependencies.rustyline-async]
 version = "0.4.6"
diff --git a/src/router/serve/mod.rs b/src/router/serve/mod.rs
index 10e16716..49ebe583 100644
--- a/src/router/serve/mod.rs
+++ b/src/router/serve/mod.rs
@@ -32,6 +32,8 @@ pub(super) async fn serve(
 	if cfg!(unix) && config.unix_socket_path.is_some() {
 		unix::serve(server, app, shutdown).await
 	} else if config.tls.certs.is_some() {
+		#[cfg(feature = "direct_tls")]
+		services.globals.init_rustls_provider()?;
 		#[cfg(feature = "direct_tls")]
 		return tls::serve(server, app, handle, addrs).await;
 
diff --git a/src/router/serve/tls.rs b/src/router/serve/tls.rs
index 44d4262f..d1c2c986 100644
--- a/src/router/serve/tls.rs
+++ b/src/router/serve/tls.rs
@@ -27,12 +27,6 @@ pub(super) async fn serve(
 		.as_ref()
 		.ok_or_else(|| err!(Config("tls.key", "Missing required value in tls config section")))?;
 
-	// we use ring for ruma and hashing state, but aws-lc-rs is the new default.
-	// without this, TLS mode will panic.
-	rustls::crypto::aws_lc_rs::default_provider()
-		.install_default()
-		.expect("failed to initialise aws-lc-rs rustls crypto provider");
-
 	info!(
 		"Note: It is strongly recommended that you use a reverse proxy instead of running \
 		 tuwunel directly with TLS."
diff --git a/src/service/Cargo.toml b/src/service/Cargo.toml
index b8c8c42d..e7a90af8 100644
--- a/src/service/Cargo.toml
+++ b/src/service/Cargo.toml
@@ -107,6 +107,7 @@ rand.workspace = true
 regex.workspace = true
 reqwest.workspace = true
 ruma.workspace = true
+rustls.workspace = true
 rustyline-async.workspace = true
 rustyline-async.optional = true
 serde_json.workspace = true
diff --git a/src/service/globals/mod.rs b/src/service/globals/mod.rs
index 2e4439fc..927f9320 100644
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@@ -4,7 +4,7 @@ use std::{collections::HashSet, ops::Range, sync::Arc};
 
 use data::Data;
 use ruma::{OwnedUserId, RoomAliasId, ServerName, UserId};
-use tuwunel_core::{Result, Server, error};
+use tuwunel_core::{Result, Server, err, error};
 
 use crate::service;
 
@@ -130,4 +130,16 @@ impl Service {
 
 		tokens
 	}
+
+	pub fn init_rustls_provider(&self) -> Result {
+		if rustls::crypto::CryptoProvider::get_default().is_none() {
+			rustls::crypto::aws_lc_rs::default_provider()
+				.install_default()
+				.map_err(|_provider| {
+					err!(error!("Error initialising aws_lc_rs rustls crypto backend"))
+				})
+		} else {
+			Ok(())
+		}
+	}
 }
diff --git a/src/service/users/ldap.rs b/src/service/users/ldap.rs
index 7e6214d7..f80f276e 100644
--- a/src/service/users/ldap.rs
+++ b/src/service/users/ldap.rs
@@ -21,6 +21,10 @@ pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, bool)>>
 		.as_ref()
 		.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;
 
+	if uri.scheme().starts_with("ldaps") {
+		self.services.globals.init_rustls_provider()?;
+	}
+
 	debug!(?uri, "LDAP creating connection...");
 	let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
 		.await
@@ -122,6 +126,10 @@ pub async fn auth_ldap(&self, user_dn: &str, password: &str) -> Result {
 		.as_ref()
 		.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;
 
+	if uri.scheme().starts_with("ldaps") {
+		self.services.globals.init_rustls_provider()?;
+	}
+
 	debug!(?uri, "LDAP creating connection...");
 	let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
 		.await