A note for the community
Summary
Vector today statically links a vendored OpenSSL (currently 3.6.2 per
Cargo.lock's openssl-src entry) for all TLS and cryptographic
operations, with no supported way to build against the host OS's OpenSSL
instead. This RFE asks the Vector project to add a build-time option that
lets downstream consumers choose between:
- vendored OpenSSL (current default — preserves today's behavior)
- system OpenSSL (dynamically link against the OpenSSL provided by
the underlying OS)
Use Cases
Motivation
Vector is increasingly deployed into regulated environments (US Federal/DoD,
financial, healthcare) where operators need to use the host OS's
vendor-supplied OpenSSL because:
-
FIPS compliance. The host OS's OpenSSL ships with a FIPS-140-validated
module (e.g. RHEL/UBI's OpenSSL FIPS provider) that the operator's
compliance auditor already accepts. Vector's current FIPS guidance —
bolt the OpenSSL FIPS provider on top of Vector's vendored OpenSSL via
OPENSSL_CONF / OPENSSL_MODULES — couples operators to Vector's
exact vendored ABI and version, which may not match the FIPS provider
they have validated.
-
Patch lifecycle. When the host OS publishes an OpenSSL CVE fix, the
operator wants the fix to ride the host's normal patch cadence rather
than waiting for a Vector re-release. Today there is no way to do that.
-
Single-source crypto. Many operators run a fleet of services on a
common base image (e.g. RHEL UBI) and want every service in that fleet
to use the same OpenSSL build, for both audit traceability and a single
place to patch.
Attempted Solutions
Proposed Solution
Add two mutually-exclusive Cargo features on the top-level vector crate:
openssl-vendored (default — current behavior, no change for existing
users)openssl-system (link dynamically against the host OpenSSL via
openssl-sys's OPENSSL_DIR / OPENSSL_NO_VENDOR environment lookup)
Implementation note: the openssl and openssl-sys crates already support
this distinction natively via their own vendored feature. The change in
Vector is largely build-graph: stop unconditionally enabling vendored,
and let it be selected via a Vector-level feature flag that re-exports
through the dependency tree.
Proposal
No response
References
No response
Version
v0.56.0
A note for the community
Summary
Vector today statically links a vendored OpenSSL (currently
3.6.2perCargo.lock'sopenssl-srcentry) for all TLS and cryptographicoperations, with no supported way to build against the host OS's OpenSSL
instead. This RFE asks the Vector project to add a build-time option that
lets downstream consumers choose between:
the underlying OS)
Use Cases
Motivation
Vector is increasingly deployed into regulated environments (US Federal/DoD,
financial, healthcare) where operators need to use the host OS's
vendor-supplied OpenSSL because:
FIPS compliance. The host OS's OpenSSL ships with a FIPS-140-validated
module (e.g. RHEL/UBI's OpenSSL FIPS provider) that the operator's
compliance auditor already accepts. Vector's current FIPS guidance —
bolt the OpenSSL FIPS provider on top of Vector's vendored OpenSSL via
OPENSSL_CONF/OPENSSL_MODULES— couples operators to Vector'sexact vendored ABI and version, which may not match the FIPS provider
they have validated.
Patch lifecycle. When the host OS publishes an OpenSSL CVE fix, the
operator wants the fix to ride the host's normal patch cadence rather
than waiting for a Vector re-release. Today there is no way to do that.
Single-source crypto. Many operators run a fleet of services on a
common base image (e.g. RHEL UBI) and want every service in that fleet
to use the same OpenSSL build, for both audit traceability and a single
place to patch.
Attempted Solutions
Proposed Solution
Add two mutually-exclusive Cargo features on the top-level
vectorcrate:openssl-vendored(default — current behavior, no change for existingusers)
openssl-system(link dynamically against the host OpenSSL viaopenssl-sys'sOPENSSL_DIR/OPENSSL_NO_VENDORenvironment lookup)Implementation note: the
opensslandopenssl-syscrates already supportthis distinction natively via their own
vendoredfeature. The change inVector is largely build-graph: stop unconditionally enabling
vendored,and let it be selected via a Vector-level feature flag that re-exports
through the dependency tree.
Proposal
No response
References
No response
Version
v0.56.0