diff --git a/boring/src/error.rs b/boring/src/error.rs
index 5c1ad40bb..92647ecaf 100644
--- a/boring/src/error.rs
+++ b/boring/src/error.rs
@@ -62,6 +62,10 @@ impl ErrorStack {
         Self(vec![Error::new_internal(Data::String(err.to_string()))])
     }
 
+    pub(crate) fn internal_error_str(message: &'static str) -> Self {
+        Self(vec![Error::new_internal(Data::String(message.into()))])
+    }
+
     /// Empties the current thread's error queue.
     #[corresponds(ERR_clear_error)]
     pub(crate) fn clear() {
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index fe4bf0784..9deb9a4d5 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -2052,8 +2052,19 @@ impl SslContextBuilder {
     }
 
     /// Sets the context's supported curves.
+    ///
+    /// If the "kx-*" flags are used to set key exchange preference, then don't allow the user to
+    /// set them here. This ensures we don't override the user's preference without telling them:
+    /// when the flags are used, the preferences are set just before connecting or accepting.
+    ///
+    /// The "kx-*" flags will be removed in the next version.
     #[corresponds(SSL_CTX_set1_curves_list)]
     pub fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack> {
+        if cfg!(feature = "kx-safe-default") {
+            return Err(ErrorStack::internal_error_str(
+                "kx-* cargo feature blocked use of set_curves_list",
+            ));
+        }
         let curves = CString::new(curves).map_err(ErrorStack::internal_error)?;
         unsafe {
             cvt_0i(ffi::SSL_CTX_set1_curves_list(
diff --git a/hyper-boring/src/v0.rs b/hyper-boring/src/v0.rs
index 03368d32c..c365abfc0 100644
--- a/hyper-boring/src/v0.rs
+++ b/hyper-boring/src/v0.rs
@@ -8,6 +8,7 @@ use boring::ssl::{
 };
 use http_old::uri::Scheme;
 use hyper_old::client::connect::{Connected, Connection};
+#[cfg(feature = "runtime")]
 use hyper_old::client::HttpConnector;
 use hyper_old::service::Service;
 use hyper_old::Uri;