Skip to content

[Rust Frontend] Switch rustls to native-tls/OpenSSL#46696

Merged
njhill merged 7 commits into
mainfrom
bz/remove-rustls
Jun 26, 2026
Merged

[Rust Frontend] Switch rustls to native-tls/OpenSSL#46696
njhill merged 7 commits into
mainfrom
bz/remove-rustls

Conversation

@BugenZhao

@BugenZhao BugenZhao commented Jun 25, 2026

Copy link
Copy Markdown
Member

Signed-off-by: Bugen Zhao i@bugenzhao.com

Purpose

Related discussions:

Eliminate rustls from the Rust frontend dependency tree and keep the HTTP/TLS stack on native-tls / OpenSSL, which is friendlier for compliance-sensitive deployments.

Also adds a cargo-deny bans check for the crypto provider crates we want to keep out of the Rust frontend dependency graph into CI to avoid future regression.

The deny-list approach follows the same style as TiKV's dependency policy checks, with a small atomic provider list instead of banning every wrapper crate:

  • rustls
  • ring
  • aws-lc-rs
  • aws-lc-sys
  • s2n-tls
  • s2n-tls-sys
  • boring
  • boring-sys

Reference: tikv/tikv#16352

Test Plan

./.buildkite/scripts/run-rust-frontend-cargo-ci.sh style-clippy
cargo deny --manifest-path rust/Cargo.toml check --config rust/deny.toml bans

for crate in rustls ring aws-lc-rs aws-lc-sys s2n-tls s2n-tls-sys boring boring-sys; do
  cargo tree --manifest-path rust/Cargo.toml --target all -e all -i "$crate"
done

Test Result

./.buildkite/scripts/run-rust-frontend-cargo-ci.sh style-clippy passes locally, including:

--- Checking Rust dependency bans
bans ok
--- Running clippy
Finished `dev` profile [unoptimized + debuginfo] target(s)

cargo deny --manifest-path rust/Cargo.toml check --config rust/deny.toml bans passes:

bans ok

The denied provider crates are absent from the dependency tree:

rustls: nothing to print
ring: nothing to print
aws-lc-rs: package ID specification did not match any packages
aws-lc-sys: package ID specification did not match any packages
s2n-tls: package ID specification did not match any packages
s2n-tls-sys: package ID specification did not match any packages
boring: package ID specification did not match any packages
boring-sys: package ID specification did not match any packages

Essential Elements of an Effective PR Description Checklist
  • The purpose of the PR, such as "Fix some issue (link existing issues this PR will resolve)".
  • The test plan, such as providing test command.
  • The test results, such as pasting the results comparison before and after, or e2e results
  • (Optional) The necessary documentation update, such as updating supported_models.md and examples for a new model.

Signed-off-by: Bugen Zhao <i@bugenzhao.com>
Signed-off-by: Bugen Zhao <i@bugenzhao.com>
Signed-off-by: Bugen Zhao <i@bugenzhao.com>
@mergify mergify Bot added the rust label Jun 25, 2026
@BugenZhao BugenZhao changed the title [Rust Frontend] Switch from rustls to native-tls/OpenSSL [Rust Frontend] Switch rustls to native-tls/OpenSSL Jun 25, 2026
Signed-off-by: Bugen Zhao <i@bugenzhao.com>
Signed-off-by: Bugen Zhao <i@bugenzhao.com>
@mergify mergify Bot added the ci/build label Jun 25, 2026
@BugenZhao BugenZhao marked this pull request as ready for review June 25, 2026 07:22

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@Harry-Chen

Copy link
Copy Markdown
Member

IIUC this creates a dependency on libssl.so.X for all of our wheels? We may need to handle this carefully since many Linux distros are in the transition from libssl3 to libssl4.

Comment thread rust/Cargo.toml Outdated
@BugenZhao

BugenZhao commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

IIUC this creates a dependency on libssl.so.X for all of our wheels? We may need to handle this carefully since many Linux distros are in the transition from libssl3 to libssl4.

Good point. OpenSSL already exists in the dependency tree before this PR, so this PR is just a clean-up to avoid both crypto backends appear simultaneously. Regarding wheels/images, for portability, we always enable the native-tls-vendored feature. So I think there's no runtime dependency on libssl.so.X.

vllm/tools/build_rust.py

Lines 20 to 27 in 1ab5950

RustExtension(
target="vllm.vllm-rs",
path="rust/src/cmd/Cargo.toml",
args=["--bin", "vllm-rs"],
features=["native-tls-vendored"],
binding=Binding.Exec,
optional=optional,
),

nit: native-tls-vendored should probably be disabled for FIPS-compliance builds, but that’s fine since we provide it as an option.

Signed-off-by: Bugen Zhao <i@bugenzhao.com>
@BugenZhao BugenZhao added the ready ONLY add when PR is ready to merge/full CI is needed label Jun 25, 2026
@BugenZhao

Copy link
Copy Markdown
Member Author

@codex review

@wseaton

wseaton commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Yep, totally fine to vendor by default so long as there is the option to link against the system OpenSSL. Thanks for this @BugenZhao!

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c53774d466

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread rust/Cargo.toml
Signed-off-by: Bugen Zhao <i@bugenzhao.com>
@njhill njhill merged commit ae7c8ec into main Jun 26, 2026
27 checks passed
@njhill njhill deleted the bz/remove-rustls branch June 26, 2026 00:19
wincent8 pushed a commit to wincent8/vllm that referenced this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci/build ready ONLY add when PR is ready to merge/full CI is needed rust

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants