vector icon indicating copy to clipboard operation
vector copied to clipboard
verified publisher icon vectordotdev

internal(tlssettings tlsconfig): rework TlsSettings to carry PEM based objects

Open rf-ben opened this issue 8 months ago • 2 comments

Summary

Modify TlsSettings to carry PEM files instead of PKCS12 for FIPS compatibility. Internal only, no breaking changes.

TlsSettings used a PKCS12 archive to store the TLS identity information. PKCS12 is not Federal Information Processing Standard (FIPS) compliant, and there is significant interest to use vector in such environments. Converting to and from PKCS12 does not work (PKCS12KDF is not compliant) and is best avoided. TlsSettings encapsulates this detail very well, and this change is thus internal to TlsSettings and it's initializer TlsConfig.

This change makes PEM based certs & keys the format stored in TlsSettings. For reverse compatibility, when a PKCS12 (DER) archive is presented in the configuration, the code will extract the components into PEM at load time. This conversion is not FIPS compliant and should be avoided there. In pratice, most use cases do not use FIPS, so this is perfectly fine to use.

Key changes:

  • IdentityStore now keeps a _name, cert, private key, and an optional list of ca certs
  • PKCS12 configuration will convert to IdentityStore on load
  • TlsSettings::identity() returns the IdentityStore instead of a PKCS12 archive. This avoids the need to convert to PCKS12 and thus avoids the FIPS incompatibility and it discourages conversion back & forth in the future.

Change Type

  • [ ] Bug fix
  • [ ] New feature
  • [ ] Non-functional (chore, refactoring, docs)
  • [ ] Performance
  • [X] Internal, non-observable, avoid weak cryptographic algorithms

Is this a breaking change?

  • [ ] Yes
  • [X ] No

How did you test this PR?

Executed vector tests: cargo test --all ./scripts/check_changelog_fragments.sh

Tested on a regular non-fips machine, and on a FIPS enabled kernel where we compiled vector to dynamically link to the system provided OpenSSL. Only the 'fips' and 'base' providers were configured to be available:

RUSTFLAGS="-C prefer-dynamic" OPENSSL_NO_VENDOR=1 OPENSSL_STATIC=0
cargo build -j8 --release --target x86_64-unknown-linux-gnu
--no-default-features --features target-x86_64-unknown-linux-gnu

Does this PR include user facing changes?

  • [ ] Yes. Please add a changelog fragment based on our guidelines.
  • [ X] No. A maintainer will apply the "no-changelog" label to this PR.

Notes

See issue:

rf-ben avatar Jun 03 '25 08:06 rf-ben

CLA assistant check
All committers have signed the CLA.

bits-bot avatar Jun 03 '25 08:06 bits-bot

Formatting needs to be fixed. Run cargo fmt

PR title also need to be fixed, check the PR Title Semantic Check / Check Semantic PR (pull_request) job for more information

Missing changelog and clippy is complaining too (everything is detailed in the actions logs)

thomasqueirozb avatar Jun 12 '25 20:06 thomasqueirozb

@rf-ben are you still interested in this PR?

pront avatar Sep 12 '25 20:09 pront

I am. It'll be good for the product. We're maintaining it on our own but it will be much better to get it incorporated.

I'll work on the feedback and latest changes in case there are merge issues.

From: Pavlos Rontidis @.> Sent: Friday, September 12, 2025 1:38:26 PM To: vectordotdev/vector @.> Cc: rf-ben @.>; Mention @.> Subject: Re: [vectordotdev/vector] enhancement(security): rework TlsSettings to carry PEM based objects (PR #23146)

[https://avatars.githubusercontent.com/u/1138161?s=20&v=4]pront left a comment (vectordotdev/vector#23146)https://github.com/vectordotdev/vector/pull/23146#issuecomment-3286758834

@rf-benhttps://github.com/rf-ben are you still interested in this PR?

— Reply to this email directly, view it on GitHubhttps://github.com/vectordotdev/vector/pull/23146#issuecomment-3286758834, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BPIQGEAZV5VQC6ELNE4P5H33SMVMFAVCNFSM6AAAAAB6O7HSYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEOBWG42TQOBTGQ. You are receiving this because you were mentioned.Message ID: @.***>

-- The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ** RapidFort, Inc is a Delaware Corporation.

rf-ben avatar Sep 12 '25 20:09 rf-ben

I am. It'll be good for the product. We're maintaining it on our own but it will be much better to get it incorporated. I'll work on the feedback and latest changes in case there are merge issues.

awesome 👍

pront avatar Sep 15 '25 14:09 pront

Hey guys, any idea which release will have this fix?

xingengwang-corelight avatar Nov 19 '25 15:11 xingengwang-corelight