Skip to content

tls-util: migrate mz-tls-util from openssl to rustls#35838

Draft
jasonhernandez wants to merge 1 commit intoMaterializeInc:jason/sec-219-tls-test-infrafrom
jasonhernandez:jason/sec-192-migrate-tls-util
Draft

tls-util: migrate mz-tls-util from openssl to rustls#35838
jasonhernandez wants to merge 1 commit intoMaterializeInc:jason/sec-219-tls-test-infrafrom
jasonhernandez:jason/sec-192-migrate-tls-util

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 2, 2026

Summary

Migrate mz-tls-util — the central client-side TLS abstraction — from openssl/postgres-openssl to rustls/tokio-postgres-rustls with aws-lc-rs as the crypto backend.

  • make_tls() now returns MakeRustlsConnect using rustls::ClientConfig configured via mz_ore::crypto::fips_crypto_provider(), with appropriate cert verification for each SSL mode (VerifyFull, VerifyCa via custom CaOnlyVerifier, NoVerify for Disable/Prefer/Require-no-CA)
  • TlsError::OpenSsl replaced with TlsError::Rustls
  • pkcs12der_from_pem() removed from mz-tls-util; inlined into ccsr and storage-types which still need PKCS#12 for their downstream TLS libraries (reqwest native-tls, mysql_async)
  • postgres-util: removed PostgresSsl(openssl::error::ErrorStack) variant, removed openssl + postgres-openssl deps
  • mz-debug: switched to MakeRustlsConnect, refactored connection setup

Dependencies

This PR is based on jason/sec-219-tls-test-infra which includes prerequisite PRs:

  • SEC-215: Unblock rustls and add FIPS feature flag
  • SEC-176: Remove rustls ban from deny.toml
  • SEC-219: Server-side TLS migration

Works toward SEC-192.

Test plan

  • cargo check -p mz-tls-util — compiles cleanly
  • cargo check -p mz-ccsr — compiles cleanly
  • cargo check -p mz-testdrive — compiles cleanly
  • cargo check -p mz-storage-types — compiles cleanly
  • cargo check -p mz-postgres-util --features tunnel — compiles cleanly
  • cargo clippy -p mz-tls-util — no warnings
  • cargo fmt — clean
  • CI integration tests (testdrive, SLT) validate TLS connections work end-to-end

Checklist

  • Lint clean
  • Release notes updated (N/A — internal infrastructure change)

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@jasonhernandez jasonhernandez reopened this Apr 2, 2026
@jasonhernandez jasonhernandez force-pushed the jason/sec-192-migrate-tls-util branch 12 times, most recently from ff190e3 to 268990f Compare April 2, 2026 19:39
@jasonhernandez @claude
tls-util: migrate mz-tls-util from openssl to rustls
5c1142c 
Rewrite the central TLS utility crate to use rustls instead of openssl:

- make_tls: returns MakeRustlsConnect (rustls-based) instead of
  postgres-openssl MakeTlsConnector. Supports SslMode verification,
  client certificates, and a NoVerifier for non-verifying modes.
- pkcs12der_from_pem: validates PEM with rustls-pki-types instead of
  openssl. Stores concatenated PEM in the Pkcs12Archive for backward
  compatibility (consumers use reqwest::Identity::from_pem).
- TlsError: OpenSsl variant replaced with Rustls variant.
- MakeRustlsConnect + RustlsConnect: implements tokio_postgres MakeTlsConnect
  trait using tokio-rustls, with RustlsTlsStream wrapper for TlsStream trait.

Updated consumers:
- mz-postgres-util: removed openssl + postgres-openssl deps, updated error types
- mz-postgres-client: updated TlsError match arm
- mz-debug: replaced MakeTlsConnector/TlsStream with rustls equivalents
- mz-ccsr: pkcs12der_from_pem error type changed (already updated in SEC-220)
- mz-storage-types: pkcs12der_from_pem returns anyhow::Error (compatible)

Part of SEC-192.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@jasonhernandez jasonhernandez force-pushed the jason/sec-192-migrate-tls-util branch from 268990f to 5c1142c Compare April 3, 2026 18:55
@jasonhernandez jasonhernandez changed the base branch from main to jason/sec-219-tls-test-infra April 3, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonhernandez