Description
A note for the community
A proposed fix is available with this PR: #23146
Problem
When running vector with TLS configured on a FIPS enabled kernel and using the system supplied version of OpenSSL, there are internal operations that converts the cert & key, supplied in PEM format, to a PKCS12 archive. This operation, but specification, uses PCKS12KDF and is not FIPS compliant. This results in an exception:
#15 [stage-1 7/7] RUN cd /etc/vector && (vector --config-dir /etc/vector &) && sleep 1 && curl -k -X POST https://localhost:8443 -H "Content-Type: application/json" -d '{"vector": [0.1, 0.2, 0.3]}' && true
#15 0.225 2025-06-02T08:55:18.810640Z INFO vector::app: Log level is enabled. level="info"
#15 0.227 2025-06-02T08:55:18.812590Z INFO vector::app: Loading configs. paths=["/etc/vector"]
#15 0.238 2025-06-02T08:55:18.823060Z ERROR vector::topology::builder: Configuration error. error=Source "secure_http": PKCS#12 parse failed: error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (PKCS12KDF : 0), Properties (), error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:../crypto/pkcs12/p12_mutl.c:157:, error:1180006D:PKCS12 routines:PKCS12_verify_mac:mac generation error:../crypto/pkcs12/p12_mutl.c:196:, error:11800071:PKCS12 routines:PKCS12_parse:mac verify failure:../crypto/pkcs12/p12_kiss.c:71:
#15 1.228 % Total % Received % Xferd Average Speed Time Time Time Current
#15 1.228 Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
#15 1.229 curl: (7) Failed to connect to localhost port 8443 after 0 ms: Could not connect to server
#15 ERROR: process "/bin/sh -c cd /etc/vector && (vector --config-dir /etc/vector &) && sleep 1 && curl -k -X POST https://localhost:8443 -H "Content-Type: application/json" -d '{"vector": [0.1, 0.2, 0.3]}' && true" did not complete successfully: exit code: 7
Inspecting the code, we see that TlsSetting in vector_core uses a PCKS12 archive to carry this information around for all the the possible sinks & sources to use. When you present a p12/der archive, it takes it verbatim (with sanity checks), and when you present PEM files, it converts them to PKCS12.
The code encapsulates this detail very well. Our proposed solution is to avoid using PKCS12 by modifying TlsSettings to carry PEM objects instead. For compatibility, when a p12/der file is presented, we unpack it at load time. This provides perfect reverse compatibility.
FIPS is not a very common use case, but in general, working towards stronger crypto benefits regular systems as well. So this change is a net positive.
A change like this will not be observable to anyone.
Configuration
For the FIPS tests, we ran vector on a FIPS enabled kernel, and we compiled it to dynamically link to the system provided OpenSSL. OpenSSL was configured to have only a 'fips' and 'base' provider.
FIPS build:
RUSTFLAGS="-C prefer-dynamic" OPENSSL_NO_VENDOR=1 OPENSSL_STATIC=0 \
cargo build -j8 --release --target x86_64-unknown-linux-gnu \
--no-default-features --features target-x86_64-unknown-linux-gnu
vector.yaml
sources:
secure_http:
type: http_server
address: 0.0.0.0:8443
encoding: json
tls:
enabled: true
crt_file: /etc/vector/tls.crt
key_file: /etc/vector/tls.key
sinks:
console:
type: console
inputs: [secure_http]
encoding:
codec: json
Version
master, 0.47, 0.46, 0.44
Debug Output
#14 0.233 Providers:
#14 0.233 base
#14 0.233 name: OpenSSL Base Provider
#14 0.233 version: 3.0.16
#14 0.233 status: active
#14 0.233 fips
#14 0.233 name: OpenSSL FIPS Provider
#14 0.233 version: 3.0.9
#14 0.233 status: active
#14 DONE 0.2s
#15 [stage-1 7/7] RUN cd /etc/vector && (vector --config-dir /etc/vector &) && sleep 1 && curl -k -X POST https://localhost:8443 -H "Content-Type: application/json" -d '{"vector": [0.1, 0.2, 0.3]}' && true
#15 0.225 2025-06-02T08:55:18.810640Z INFO vector::app: Log level is enabled. level="info"
#15 0.227 2025-06-02T08:55:18.812590Z INFO vector::app: Loading configs. paths=["/etc/vector"]
#15 0.238 2025-06-02T08:55:18.823060Z ERROR vector::topology::builder: Configuration error. error=Source "secure_http": PKCS#12 parse failed: error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (PKCS12KDF : 0), Properties (<null>), error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:../crypto/pkcs12/p12_mutl.c:157:, error:1180006D:PKCS12 routines:PKCS12_verify_mac:mac generation error:../crypto/pkcs12/p12_mutl.c:196:, error:11800071:PKCS12 routines:PKCS12_parse:mac verify failure:../crypto/pkcs12/p12_kiss.c:71:
#15 1.228 % Total % Received % Xferd Average Speed Time Time Time Current
#15 1.228 Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
#15 1.229 curl: (7) Failed to connect to localhost port 8443 after 0 ms: Could not connect to server
#15 ERROR: process "/bin/sh -c cd /etc/vector && (vector --config-dir /etc/vector &) && sleep 1 && curl -k -X POST https://localhost:8443 -H \"Content-Type: application/json\" -d '{\"vector\": [0.1, 0.2, 0.3]}' && true" did not complete successfully: exit code: 7
Example Data
No response
Additional Context
No response