Skip to content

[Frontend] Add opt-in native-tls crypto backend for the Rust frontend#46052

Closed
wseaton wants to merge 2 commits into
vllm-project:mainfrom
wseaton:rust-frontend-fips-crypto
Closed

[Frontend] Add opt-in native-tls crypto backend for the Rust frontend#46052
wseaton wants to merge 2 commits into
vllm-project:mainfrom
wseaton:rust-frontend-fips-crypto

Conversation

@wseaton

@wseaton wseaton commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Some downstream environments need to be able to build the rust frontend against the system crypto provider via native-tls, add an optional feature to make this possible.

Note: This will not be fully solved until all of the transitive deps we have are fixed to allow tls backend selection, but it is a start.

@wseaton wseaton requested review from BugenZhao and njhill as code owners June 18, 2026 13:34
@mergify mergify Bot added the rust label Jun 18, 2026
@BugenZhao

Copy link
Copy Markdown
Member

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 98662ca739

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread rust/src/server/src/lib.rs Outdated
@@ -1,5 +1,11 @@
//! Minimal OpenAI-compatible HTTP server above [`vllm_chat`].

#[cfg(all(feature = "rustls", feature = "openssl"))]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid rejecting the Rust CI all-features build

In the Rust frontend CI I checked, both clippy and nextest are run with --workspace --all-features (.buildkite/scripts/run-rust-frontend-cargo-ci.sh:153-158 and :169-173), and Cargo documents --all-features as activating all available features. That means the existing pipeline enables both rustls and the new openssl feature for vllm-server, so this guard makes every CI all-features build fail before clippy/tests can run. Please structure the feature check or CI feature set so the opt-in backend does not make the repository’s standard all-features jobs uncompilable.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, ty codex

cc @BugenZhao

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codex review

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codex review

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review: Didn't find any major issues. Can't wait for the next one!

Reviewed commit: 9bd6c24506

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Signed-off-by: Will Eaton <weaton@redhat.com>
@BugenZhao

BugenZhao commented Jun 23, 2026

Copy link
Copy Markdown
Member

I think the direction could be simpler here, i.e., we can just target native-tls/OpenSSL and don't have to introduce any new feature flags. I believe we intentionally avoided depending on rustls before open-sourcing the Rust frontend, but somehow it was still accidentally introduced to the tree.

So I would prefer switching the direct reqwest feature to native-tls and then fixing the remaining transitive rustls feature sources later, rather than carrying both rustls/openssl backend features in vllm-server.

Remaining transitive deps:

I've pushed a branch for this: https://github.com/vllm-project/vllm/compare/bz/remove-rustls

For openai-harmony and fastokens I believe we should ask the upstream to provide feature options for different tls backends first.

@mergify

mergify Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @wseaton.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

@mergify mergify Bot added the needs-rebase label Jun 23, 2026
@wseaton

wseaton commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

@BugenZhao thanks, dropping rustls entirely is preferred by me, and it is also much more inline with the existing cert implementation of the python frontend. This also simplifies work around pod level TLS termination and cert rotation significantly (not needing to support dual backends).

Do you want to take this? If so I'll close!

@wseaton

wseaton commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

@BugenZhao some type of pre-commit hook that uses cargo audit might also be helpful here to prevent vendored crypto from sneaking back into the build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants