fix: remove patched openssl crate, use upstream API for TLS security profiles (LOG-3398)

Replace the forked patch/openssl crate with direct calls to the upstream
openssl crate's public API (set_min_proto_version, set_cipher_list,
set_ciphersuites). This eliminates ~70 patched files and reduces the
maintenance burden on upstream version bumps while preserving dynamic
linking to system OpenSSL for FIPS compliance.

The TLS security profile logic (min_tls_version, ciphersuites) is now
implemented in Vector's own TLS module via apply_tls_security_profile(),
and is wired into apply_context_base() where it was previously stored
but never applied in production code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vparfonov

Cargo.lock

@@ -407,7 +407,7 @@ async-nats = { version = "0.42.0", default-features = false, optional = true, fe
 nkeys = { version = "0.4.5", default-features = false, optional = true }
 nom = { workspace = true, optional = true }
 notify = { version = "8.1.0", default-features = false, features = ["macos_fsevent"] }
-openssl = { version = "0.10.73", default-features = false}
+openssl = { version = "0.10.75", default-features = false}
 openssl-probe = { version = "0.1.6", default-features = false }
 ordered-float.workspace = true
 percent-encoding = { version = "2.3.1", default-features = false }
@@ -500,7 +500,6 @@ zstd = { version = "0.13.0", default-features = false }
 # The `heim` crates depend on `ntapi` 0.3.7 on Windows, but that version has an
 # unaligned access bug fixed in the following revision.
 ntapi = { git = "https://github.com/MSxDOS/ntapi.git", rev = "24fc1e47677fc9f6e38e5f154e6011dc9b270da6" }
-openssl = { path = "patch/openssl" }
 hyper = { path = "patch/hyper" }
 
 [features]

Cargo.toml

@@ -4,7 +4,7 @@ use std::{fmt::Debug, net::SocketAddr, num::TryFromIntError, path::PathBuf, time
 
 use openssl::{
     error::ErrorStack,
-    ssl::{ConnectConfiguration, SslConnector, SslConnectorBuilder, SslMethod},
+    ssl::{ConnectConfiguration, SslConnector, SslConnectorBuilder, SslMethod, SslVersion},
 };
 use snafu::{ResultExt, Snafu};
 use tokio::net::TcpStream;
@@ -131,6 +131,16 @@ pub enum TlsError {
     NewCaStack { source: ErrorStack },
     #[snafu(display("Could not push intermediate certificate onto stack"))]
     CaStackPush { source: ErrorStack },
+    // BEGIN RED HAT - TLS security profile support (LOG-3398)
+    #[snafu(display("Invalid TLS version: {}", version))]
+    InvalidTlsVersion { version: String },
+    #[snafu(display("Invalid or empty ciphersuite string"))]
+    InvalidCiphersuite,
+    #[snafu(display("Could not set minimum TLS version: {}", source))]
+    SetMinTlsVersion { source: ErrorStack },
+    #[snafu(display("Could not set cipher list: {}", source))]
+    SetCipherList { source: ErrorStack },
+    // END RED HAT - TLS security profile support (LOG-3398)
 }
 
 impl MaybeTlsStream<TcpStream> {
@@ -175,6 +185,47 @@ impl MaybeTlsStream<TcpStream> {
     }
 }
 
+// BEGIN RED HAT - TLS security profile support (LOG-3398)
+/// Apply TLS security profile settings (min version, ciphersuites) to an SSL context builder.
+///
+/// Maps `OpenShift` TLS security profile version strings (`VersionTLS10`..`VersionTLS13`)
+/// to OpenSSL protocol versions and configures ciphersuites accordingly.
+pub fn apply_tls_security_profile(
+    ctx: &mut openssl::ssl::SslContextBuilder,
+    min_tls_version: &Option<String>,
+    ciphersuites: &Option<String>,
+) -> Result<()> {
+    let mut resolved_version = SslVersion::TLS1;
+    if let Some(version_str) = min_tls_version {
+        resolved_version = match version_str.as_str() {
+            "VersionTLS10" => SslVersion::TLS1,
+            "VersionTLS11" => SslVersion::TLS1_1,
+            "VersionTLS12" => SslVersion::TLS1_2,
+            "VersionTLS13" => SslVersion::TLS1_3,
+            _ => {
+                return Err(TlsError::InvalidTlsVersion {
+                    version: version_str.clone(),
+                });
+            }
+        };
+        ctx.set_min_proto_version(Some(resolved_version))
+            .context(SetMinTlsVersionSnafu)?;
+    }
+    if let Some(suites) = ciphersuites {
+        if suites.is_empty() {
+            return Err(TlsError::InvalidCiphersuite);
+        }
+        let suites = suites.replace(',', ":");
+        if resolved_version == SslVersion::TLS1_3 {
+            ctx.set_ciphersuites(&suites).context(SetCipherListSnafu)?;
+        } else {
+            ctx.set_cipher_list(&suites).context(SetCipherListSnafu)?;
+        }
+    }
+    Ok(())
+}
+// END RED HAT - TLS security profile support (LOG-3398)
+
 pub fn tls_connector_builder(settings: &MaybeTlsSettings) -> Result<SslConnectorBuilder> {
     let mut builder = SslConnector::builder(SslMethod::tls()).context(TlsBuildConnectorSnafu)?;
     if let Some(settings) = settings.tls() {

lib/vector-core/src/tls/mod.rs

@@ -6,10 +6,25 @@ use std::{
 };
 
 use super::{
-    AddCertToStoreSnafu, AddExtraChainCertSnafu, CaStackPushSnafu, EncodeAlpnProtocolsSnafu,
-    FileOpenFailedSnafu, FileReadFailedSnafu, MaybeTls, NewCaStackSnafu, NewStoreBuilderSnafu,
-    ParsePkcs12Snafu, PrivateKeyParseSnafu, Result, SetAlpnProtocolsSnafu, SetCertificateSnafu,
-    SetPrivateKeySnafu, SetVerifyCertSnafu, TlsError, X509ParseSnafu,
+    AddCertToStoreSnafu,
+    AddExtraChainCertSnafu,
+    CaStackPushSnafu,
+    EncodeAlpnProtocolsSnafu,
+    FileOpenFailedSnafu,
+    FileReadFailedSnafu,
+    MaybeTls,
+    NewCaStackSnafu,
+    NewStoreBuilderSnafu,
+    ParsePkcs12Snafu,
+    PrivateKeyParseSnafu,
+    Result,
+    SetAlpnProtocolsSnafu,
+    SetCertificateSnafu,
+    SetPrivateKeySnafu,
+    SetVerifyCertSnafu,
+    TlsError,
+    X509ParseSnafu,
+    apply_tls_security_profile, // RED HAT - TLS security profile support (LOG-3398)
 };
 use cfg_if::cfg_if;
 use lookup::lookup_v2::OptionalValuePath;
@@ -157,11 +172,13 @@ pub struct TlsConfig {
     #[configurable(metadata(docs::human_name = "Server Name"))]
     pub server_name: Option<String>,
 
+    // BEGIN RED HAT - TLS security profile support (LOG-3398)
     /// Minimal enabled TLS version.
     pub min_tls_version: Option<String>,
 
     /// TLS ciphersuites to enable.
     pub ciphersuites: Option<String>,
+    // END RED HAT - TLS security profile support (LOG-3398)
 }
 
 impl TlsConfig {
@@ -184,8 +201,10 @@ pub struct TlsSettings {
     pub(super) identity: Option<IdentityStore>,
     alpn_protocols: Option<Vec<u8>>,
     server_name: Option<String>,
+    // BEGIN RED HAT - TLS security profile support (LOG-3398)
     pub min_tls_version: Option<String>,
     pub ciphersuites: Option<String>,
+    // END RED HAT - TLS security profile support (LOG-3398)
 }
 
 /// Identity store in PEM format
@@ -228,6 +247,7 @@ impl TlsSettings {
             identity: options.load_identity()?,
             alpn_protocols: options.parse_alpn_protocols()?,
             server_name: options.server_name.clone(),
+            // RED HAT - TLS security profile support (LOG-3398)
             min_tls_version: options.min_tls_version.clone(),
             ciphersuites: options.ciphersuites.clone(),
         })
@@ -347,6 +367,9 @@ impl TlsSettings {
             }
         }
 
+        // RED HAT - TLS security profile support (LOG-3398)
+        apply_tls_security_profile(context, &self.min_tls_version, &self.ciphersuites)?;
+
         Ok(())
     }
 
@@ -662,7 +685,7 @@ fn open_read(filename: &Path, note: &'static str) -> Result<(Vec<u8>, PathBuf)>
 
 #[cfg(test)]
 mod test {
-    use openssl::ssl::{ErrorEx, SslMethod, SslVersion};
+    use openssl::ssl::{SslMethod, SslVersion};
 
     use super::*;
 
@@ -831,102 +854,108 @@ mod test {
         assert!(config.is_tls());
     }
 
+    // BEGIN RED HAT - TLS security profile tests (LOG-3398)
     #[test]
     fn from_min_tls_version() {
-        use std::result::Result;
+        use super::super::apply_tls_security_profile;
 
         struct TlsVersionTest {
             text: Option<String>,
             num: Option<SslVersion>,
-            want: Result<(), ErrorEx>,
+            want_ok: bool,
         }
-        let mut builder = SslContextBuilder::new(SslMethod::tls()).unwrap();
-        let orig_min_proto_version = builder.min_proto_version();
         let tests = [
             TlsVersionTest {
                 text: None,
-                num: orig_min_proto_version,
-                want: Ok(()),
+                num: None,
+                want_ok: true,
             },
             TlsVersionTest {
                 text: Some(String::new()),
-                num: orig_min_proto_version,
-                want: Err(ErrorEx::InvalidTlsVersion),
+                num: None,
+                want_ok: false,
             },
             TlsVersionTest {
                 text: Some("foobar".to_string()),
-                num: Some(SslVersion::TLS1),
-                want: Err(ErrorEx::InvalidTlsVersion),
+                num: None,
+                want_ok: false,
             },
             TlsVersionTest {
                 text: Some("VersionTLS10".to_string()),
                 num: Some(SslVersion::TLS1),
-                want: Ok(()),
+                want_ok: true,
             },
             TlsVersionTest {
                 text: Some("VersionTLS11".to_string()),
                 num: Some(SslVersion::TLS1_1),
-                want: Ok(()),
+                want_ok: true,
             },
             TlsVersionTest {
                 text: Some("VersionTLS12".to_string()),
                 num: Some(SslVersion::TLS1_2),
-                want: Ok(()),
+                want_ok: true,
             },
             TlsVersionTest {
                 text: Some("VersionTLS13".to_string()),
                 num: Some(SslVersion::TLS1_3),
-                want: Ok(()),
+                want_ok: true,
             },
         ];
         for t in tests {
-            match builder.set_min_tls_version_and_ciphersuites(&t.text, &None) {
+            let mut builder = SslContextBuilder::new(SslMethod::tls()).unwrap();
+            let orig_min = builder.min_proto_version();
+            match apply_tls_security_profile(&mut builder, &t.text, &None) {
                 Ok(()) => {
-                    assert!(t.want.is_ok());
-                    assert_eq!(builder.min_proto_version(), t.num);
+                    assert!(t.want_ok, "expected error for {:?}", t.text);
+                    if let Some(expected) = t.num {
+                        assert_eq!(builder.min_proto_version(), Some(expected));
+                    } else {
+                        assert_eq!(builder.min_proto_version(), orig_min);
+                    }
                 }
-                Err(e) => assert_eq!(t.want.err().unwrap(), e),
+                Err(_) => assert!(!t.want_ok, "unexpected error for {:?}", t.text),
             }
         }
     }
 
     #[test]
     fn from_min_tls_version_and_ciphersuites() {
-        use std::result::Result;
+        use super::super::apply_tls_security_profile;
 
         struct TlsCiphersuiteTest {
             min_tls_version: Option<String>,
             ciphersuite: Option<String>,
-            want: Result<(), ErrorEx>,
+            want_ok: bool,
         }
 
-        let mut builder = SslContextBuilder::new(SslMethod::tls()).unwrap();
         let tests = [
             TlsCiphersuiteTest {
                 min_tls_version: Some("VersionTLS10".to_string()),
                 ciphersuite: Some(String::new()),
-                want: Err(ErrorEx::InvalidCiphersuite),
+                want_ok: false,
             },
             TlsCiphersuiteTest {
                 min_tls_version: Some("VersionTLS12".to_string()),
                 ciphersuite: Some("AES128-SHA256".to_string()),
-                want: Ok(()),
+                want_ok: true,
             },
             TlsCiphersuiteTest {
                 min_tls_version: Some("VersionTLS13".to_string()),
                 ciphersuite: Some(
                     "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384".to_string(),
                 ),
-                want: Ok(()),
+                want_ok: true,
             },
         ];
         for t in tests {
-            match builder.set_min_tls_version_and_ciphersuites(&t.min_tls_version, &t.ciphersuite) {
-                Ok(()) => assert!(t.want.is_ok()),
-                Err(e) => assert_eq!(t.want.err().unwrap(), e),
+            let mut builder = SslContextBuilder::new(SslMethod::tls()).unwrap();
+            match apply_tls_security_profile(&mut builder, &t.min_tls_version, &t.ciphersuite) {
+                Ok(()) => assert!(t.want_ok, "expected error for {:?}", t.ciphersuite),
+                Err(_) => assert!(!t.want_ok, "unexpected error for {:?}", t.ciphersuite),
             }
         }
     }
+    // END RED HAT - TLS security profile tests (LOG-3398)
 
     fn settings_from_config(
         enabled: Option<bool>,