FIPS and PKCS12

[rf-ben]

Hi Everyone,

We’re creating a vector image for FIPS use and have a problem that we’d like some thoughts on.

The system is configured with the openssl base and fips providers, and is running on a FIPS enabled kernel. TLS is configured with an appropriate certificate & key.

When we run it, we see this:

rfroot@curated-dev-fips1:~/vectorTest$ docker run --rm -it -p 8433:8433 vector-tls-source
2025-05-16T17:09:07.585642Z  INFO vector::app: Log level is enabled. level="info"
2025-05-16T17:09:07.586657Z  INFO vector::app: Loading configs. paths=["/etc/vector/vector.yaml"]
2025-05-16T17:09:07.602458Z ERROR vector::topology::builder: Configuration error. error=Source "secure_http": Could not build PKCS#12 archive for identity: error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (PKCS12KDF : 0), Properties (<null>), error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:../crypto/pkcs12/p12_mutl.c:157:, error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:../crypto/pkcs12/p12_mutl.c:230:

The hypothesis is that the code tries to repackage the certificate and key into a PKCS12 container, and it implicitly wants to us SHA-1 to sign the key. This is not supported under FIPS.

The relevant source code is here:

vector/lib/vector-core/src/tls/settings.rs

Line 438 in 1e7da76

.context(Pkcs12Snafu)?;

We’d like to work around this problem - the openssl package for rust does not let you specify a different MAC algorithm as far as we can tell, and it does not look like we can, for example, supply a stronger MAC PKCS12 container directly instead of the PEM certificate & key.

Would like to hear your thoughts on this. Also, if it’s straightforward to avoid this in code, we’re happy to assist/provide you some changes.

Appreciate any guidance you may have.

Thank you.

[tot19]

Don't have anything to add on the code part, but I would also be interested in a FIPS binary

[pront]

Hi @rf-ben, FIPS is not properly supported yet because some component rely on ring so it is not surprising you are hitting an issue. We can definitely benefit from a short RFC outlining how to make Vector FIPS compatible. We definitely welcome suggestions and PRs in this area.

Here are some relevant links:

• FIPS compliance #8435
• Draft PR to replace ring: chore(deps): upgrade async-nats and enable FIPS #22543