diff --git a/.github/workflows/ci_core.yml b/.github/workflows/ci_core.yml
index 2cd06aaca981..23f9d53f7d46 100644
--- a/.github/workflows/ci_core.yml
+++ b/.github/workflows/ci_core.yml
@@ -92,6 +92,29 @@ jobs:
         working-directory: core
         run: cargo +${OPENDAL_MSRV} clippy -- -D warnings
 
+  check_tls_features:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Rust toolchain
+        uses: ./.github/actions/setup
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Assert aws-lc-rs is absent under reqwest-rustls-no-provider-tls
+        working-directory: core
+        run: |
+          set -euo pipefail
+          tree=$(cargo tree -p opendal \
+            --no-default-features \
+            --features services-gcs,reqwest-rustls-no-provider-tls \
+            --edges normal,build \
+            --prefix none)
+          if echo "$tree" | grep -E '^aws-lc-rs( |$)' ; then
+            echo "::error::aws-lc-rs is reachable from opendal with only reqwest-rustls-no-provider-tls enabled"
+            echo "$tree"
+            exit 1
+          fi
+
   build_default_features:
     runs-on: ${{ matrix.os }}
     strategy:
diff --git a/core/Cargo.toml b/core/Cargo.toml
index 5f4d4723d265..aa25cd44121a 100644
--- a/core/Cargo.toml
+++ b/core/Cargo.toml
@@ -119,6 +119,7 @@ layers-tail-cut = ["dep:opendal-layer-tail-cut"]
 layers-throttle = ["dep:opendal-layer-throttle"]
 layers-timeout = ["dep:opendal-layer-timeout"]
 layers-tracing = ["dep:opendal-layer-tracing"]
+reqwest-rustls-no-provider-tls = ["opendal-core/reqwest-rustls-no-provider-tls"]
 reqwest-rustls-tls = ["opendal-core/reqwest-rustls-tls"]
 services-aliyun-drive = ["dep:opendal-service-aliyun-drive"]
 services-alluxio = ["dep:opendal-service-alluxio"]
diff --git a/core/core/Cargo.toml b/core/core/Cargo.toml
index a543974a6893..881bfcba99ba 100644
--- a/core/core/Cargo.toml
+++ b/core/core/Cargo.toml
@@ -42,6 +42,11 @@ default = ["reqwest-rustls-tls", "executors-tokio"]
 # Enable reqwest rustls tls support.
 reqwest-rustls-tls = ["reqwest/rustls"]
 
+# Enable reqwest rustls tls support without selecting a crypto provider.
+# The downstream binary is responsible for installing a `rustls`
+# `CryptoProvider` (e.g. `ring` or `aws-lc-rs`) before issuing requests.
+reqwest-rustls-no-provider-tls = ["reqwest/rustls-no-provider"]
+
 # Enable opendal's blocking support.
 blocking = ["internal-tokio-rt"]