Skip to content

crypto: switch HTTP clients from native-tls to rustls#35947

Draft
jasonhernandez wants to merge 2 commits intomainfrom
pr3-http-clients-rustls
Draft

crypto: switch HTTP clients from native-tls to rustls#35947
jasonhernandez wants to merge 2 commits intomainfrom
pr3-http-clients-rustls

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 10, 2026
edited
Loading

Summary

  • Switch reqwest from native-tls to rustls-tls-webpki-roots-no-provider across ~30 crates
  • Switch kube from openssl-tls to rustls-tls + aws-lc-rs
  • Switch mysql_async from native-tls to rustls (MaterializeInc fork)
  • Switch tiberius from native-tls to rustls (MaterializeInc fork)
  • Replace hyper-tls with hyper-rustls in the OpenTelemetry connector (mz-ore tracing)
  • Switch launchdarkly-server-sdk from native-tls/crypto-openssl to hyper-rustls-webpki-roots/crypto-aws-lc-rs
  • Switch sentry from transport to reqwest feature
  • Switch segment to default-features = false
  • Update fork overrides for mysql_async, tiberius, duckdb, iceberg
  • Add aws-lc-rs CryptoProvider init to binary entry points (clusterd, sqllogictest, testdrive, persist-cli, orchestratord)
  • Migrate ccsr TLS cert handling from native-tls/openssl to rustls
  • Remove native-tls, tokio-native-tls, hyper-tls from mz-ore tracing feature

Part 3 of 7 in the crypto migration. Depends on PR1 (#35940).

Test plan

  • `cargo check --workspace` passes
  • No crate depends on native-tls after this PR (ccsr native-tls removed, balancerd LD SDK switched)

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@jasonhernandez jasonhernandez mentioned this pull request Apr 11, 2026
Draft
2 tasks
jasonhernandez and others added 2 commits April 14, 2026 20:31
@jasonhernandez @claude
crypto: add core crypto infrastructure (mz-ore crypto module)
fb15fd2 
Add rustls, aws-lc-rs, hyper-rustls, rcgen, tokio-rustls workspace deps
and the mz-ore `crypto` feature with FIPS-aware CryptoProvider helpers.
Azure SDK forks patched to support reqwest-rustls-no-provider.
Removes the rustls ban from deny.toml.

Does NOT bump LaunchDarkly SDK (deferred to end of migration).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonhernandez @claude
crypto: switch HTTP clients from native-tls to rustls
f147e89 
Switch reqwest and other HTTP clients from native-tls to rustls across
the workspace:

- reqwest: default-features = false, rustls-tls-webpki-roots-no-provider
- kube: openssl-tls → rustls-tls + aws-lc-rs
- mysql_async: native-tls-tls → rustls-tls (MaterializeInc fork)
- tiberius: native-tls → rustls (MaterializeInc fork)
- duckdb: default-features = false (MaterializeInc fork)
- segment: default-features = false
- Add aws-lc-rs CryptoProvider init to binary entry points
- Remove native-tls, tokio-native-tls, hyper-tls workspace deps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonhernandez jasonhernandez force-pushed the pr3-http-clients-rustls branch from 1528368 to f147e89 Compare April 15, 2026 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggevay ggevay Awaiting requested review from ggevay ggevay will be requested when the pull request is marked ready for review ggevay is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonhernandez