Skip to content

crypto: eliminate native-tls/OpenSSL/ring and unify on rustls/aws-lc-rs#35896

Draft
jasonhernandez wants to merge 1 commit intomainfrom
jason/sec-239-tls-migration
Draft

crypto: eliminate native-tls/OpenSSL/ring and unify on rustls/aws-lc-rs#35896
jasonhernandez wants to merge 1 commit intomainfrom
jason/sec-239-tls-migration

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 7, 2026

Summary

Complete TLS migration from OpenSSL to rustls with aws-lc-rs as the sole crypto backend, enabling FIPS 140-3 compliance.

Changes by area

Core infrastructure

  • mz-ore: crypto module with #[ctor::ctor] auto-install of aws-lc-rs CryptoProvider; split sentry into separate feature; switch async/tracing from openssl to rustls/hyper-rustls
  • mz-tls-util: full rewrite from openssl to rustls (MakeRustlsConnect, RustlsTlsStream)

Server-side TLS

  • pgwire-common, pgwire, server-core: tokio-openssl → tokio-rustls
  • balancerd: hyper-openssl → hyper-rustls; LD SDK behind telemetry feature
  • environmentd: rustls for HTTPS, rcgen for test certs, telemetry feature gating

Client-side TLS

  • ccsr: reqwest rustls, improved TLS error handling
  • persist: azure SDK with enable_reqwest_rustls_no_provider feature
  • kafka-util, environmentd: rdkafka ssl-vendored → ssl-awslc
  • fivetran-destination: openssl → aws-lc-rs/rustls for AES + postgres
  • npm: reqwest rustls + sha2 → aws-lc-rs digest
  • storage: sha2 → aws-lc-rs digest for upsert key hashing

Telemetry compile-time gating

  • adapter, balancerd, environmentd: LaunchDarkly SDK and Segment behind telemetry feature (disabled in FIPS builds)
  • LD SDK upgraded from 2.6.2 fork to upstream 3.0.1

Workspace forks

  • azure-sdk-for-rust: mz/enable-reqwest-rustls-no-provider
  • rust-sdk-transport: mz/aws-lc-rs-instead-of-ring
  • rust-rdkafka: jasonhernandez/ssl-awslc
  • mysql_async: rustls-fixes
  • tiberius: rustls-0.23-on-mz-changes
  • iceberg-rust: jasonhernandez/rustls-migration
  • duckdb-rs: mz/rustls-tls-no-provider

deny.toml

  • Ban native-tls, hyper-tls, openssl-sys, openssl-src, ring
  • Ban sha2, hmac, subtle with wrappers for third-party crates

CI

  • Docker builder: add Go + ninja-build + pre-built AWS-LC static library
  • macOS agent: build AWS-LC for rdkafka ssl-awslc

Stack

  1. crypto: fix crash on invalid mTLS certs in CREATE/ALTER CONNECTION #35894 — mTLS crash fix
  2. crypto: migrate non-TLS crypto primitives from openssl/sha2 to aws-lc-rs #35895 — crypto primitives ← base
  3. This PR — full TLS migration

Test plan

  • cargo check / cargo check --all-features
  • cargo deny check bans / cargo deny check licenses
  • kafka-auth mzcompose tests (TLS error expectations updated)
  • mysql-cdc TLS connection tests
  • environmentd auth + server integration tests
  • CI green

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@jasonhernandez jasonhernandez force-pushed the jason/sec-239-crypto-primitives branch from 4ce57fd to c10ea9f Compare April 7, 2026 17:31
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-tls-migration branch from 5e4ad29 to d565803 Compare April 7, 2026 17:31
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-crypto-primitives branch from c10ea9f to a108aae Compare April 7, 2026 18:19
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-tls-migration branch from d565803 to dd987fe Compare April 7, 2026 18:19
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-crypto-primitives branch from a108aae to 90b5984 Compare April 9, 2026 19:27
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-tls-migration branch from dd987fe to 7e85c50 Compare April 9, 2026 20:29
Base automatically changed from jason/sec-239-crypto-primitives to main April 9, 2026 21:59
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-tls-migration branch 9 times, most recently from 8df0ce1 to b6cda73 Compare April 10, 2026 18:11
@jasonhernandez @claude
crypto: eliminate native-tls/OpenSSL/ring and unify on rustls/aws-lc-rs
a79ac14 
Complete TLS migration from OpenSSL to rustls with aws-lc-rs as the
sole crypto backend. This enables FIPS 140-3 compliance by ensuring all
cryptographic operations go through a single, auditable library.

- mz-ore: add `crypto` module with `#[ctor::ctor]` auto-install of
  aws-lc-rs CryptoProvider; split sentry into separate feature; switch
  async/tracing features from openssl to rustls/hyper-rustls
- mz-tls-util: full rewrite from openssl to rustls — new
  MakeRustlsConnect, RustlsTlsStream types

- pgwire-common, pgwire, server-core: tokio-openssl → tokio-rustls
- balancerd: hyper-openssl → hyper-rustls; LD SDK behind telemetry
  feature
- environmentd: rustls for HTTPS, rcgen for test certs, telemetry
  feature gating

- ccsr: reqwest rustls, improved TLS error handling
- persist: azure SDK with enable_reqwest_rustls_no_provider feature
- kafka-util, environmentd: rdkafka ssl-vendored → ssl-awslc
- fivetran-destination: openssl → aws-lc-rs/rustls for AES + postgres
- npm: reqwest rustls + sha2 → aws-lc-rs digest
- storage: sha2 → aws-lc-rs digest for upsert key hashing

- adapter, balancerd, environmentd: LaunchDarkly SDK and Segment behind
  `telemetry` feature (disabled in FIPS builds to exclude non-compliant
  crypto deps)
- LD SDK upgraded from 2.6.2 fork to upstream 3.0.1

- azure-sdk-for-rust: mz/enable-reqwest-rustls-no-provider
- rust-sdk-transport: mz/aws-lc-rs-instead-of-ring
- rust-rdkafka: jasonhernandez/ssl-awslc
- mysql_async: rustls-fixes
- tiberius: rustls-0.23-on-mz-changes
- iceberg-rust: jasonhernandez/rustls-migration
- duckdb-rs: mz/rustls-tls-no-provider

- Ban native-tls, hyper-tls, openssl-sys, openssl-src, ring
- Ban sha2, hmac, subtle with wrappers for third-party crates
- Add skip entries for rustls ecosystem version duplicates

- Docker builder: add Go + ninja-build + pre-built AWS-LC library
- macOS agent: build AWS-LC for rdkafka ssl-awslc

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-tls-migration branch from b6cda73 to a79ac14 Compare April 10, 2026 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggevay ggevay Awaiting requested review from ggevay ggevay will be requested when the pull request is marked ready for review ggevay is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonhernandez