chore: provide our own tls config so that we can check that it is FIPSish

Author: apiarian-datadog

bottlecap/Cargo.lock

@@ -15,8 +15,8 @@ datadog-trace-protobuf = { git = "https://github.com/DataDog/libdatadog", rev =
 datadog-trace-utils = { git = "https://github.com/DataDog/libdatadog", rev = "d6a2da32c6b92d6865a7e7987c8a1df2203fb1ae" , features = ["compression"] }
 datadog-trace-normalization = { git = "https://github.com/DataDog/libdatadog",  rev = "d6a2da32c6b92d6865a7e7987c8a1df2203fb1ae" }
 datadog-trace-obfuscation = { git = "https://github.com/DataDog/libdatadog", rev = "d6a2da32c6b92d6865a7e7987c8a1df2203fb1ae"  }
-dogstatsd = { git = "https://github.com/DataDog/serverless-components", rev = "0aac11e23a31cdae22ebe42406028964a2b36cea", default-features = false }
-trace-agent = { git = "https://github.com/DataDog/serverless-components", rev = "0aac11e23a31cdae22ebe42406028964a2b36cea" }
+dogstatsd = { git = "https://github.com/DataDog/serverless-components", branch = "aleksandr.pasechnik/svls-6242-reqwest-fips-tls-injection", default-features = false }
+datadog-trace-agent = { git = "https://github.com/DataDog/serverless-components", branch = "aleksandr.pasechnik/svls-6242-reqwest-fips-tls-injection" }
 figment = { version = "0.10", default-features = false, features = ["yaml", "env"] }
 hyper = { version = "1.6", default-features = false, features = ["server"] }
 hyper-util = { version = "0.1.10", features = [
@@ -53,6 +53,7 @@ futures = { version = "0.3.31", default-features = false }
 serde-aux = { version = "4.7", default-features = false }
 opentelemetry-proto = { version = "0.29", features = ["trace", "with-serde", "gen-tonic"] }
 opentelemetry-semantic-conventions = { version = "0.29", features = ["semconv_experimental"] }
+rustls-native-certs = { version = "0.8.1", optional = true }
 
 [dev-dependencies]
 figment = { version = "0.10", default-features = false, features = ["yaml", "env", "test"] }
@@ -86,5 +87,6 @@ fips = [
     "dogstatsd/fips",
     "reqwest/rustls-tls-native-roots-no-provider",
     "rustls/fips",
+    "rustls-native-certs",
 ]
 force_fallback = []

bottlecap/Cargo.toml

@@ -18,6 +18,7 @@ use bottlecap::{
     },
     event_bus::bus::EventBus,
     events::Event,
+    fips::create_reqwest_client_builder,
     lifecycle::{
         flush_control::FlushControl, invocation::processor::Processor as InvocationProcessor,
         listener::Listener as LifecycleListener,
@@ -229,8 +230,13 @@ async fn main() -> Result<()> {
     let version_without_next = EXTENSION_VERSION.split('-').next().unwrap_or("NA");
     debug!("Starting Datadog Extension {version_without_next}");
     prepare_client_provider()?;
-    let client = Client::builder()
-        .use_rustls_tls()
+    let client = create_reqwest_client_builder()
+        .map_err(|e| {
+            Error::new(
+                std::io::ErrorKind::InvalidData,
+                format!("Failed to create client builder: {e:?}"),
+            )
+        })?
         .no_proxy()
         .build()
         .map_err(|e| {

bottlecap/src/bin/bottlecap/main.rs

@@ -0,0 +1,79 @@
+use reqwest::ClientBuilder;
+use std::error::Error;
+#[cfg(feature = "fips")]
+use tracing::debug;
+
+// TODO: once we confirm that this does what we think it does we'll move it to a separate crate.
+// for now going to copy the this code to bottlecap and make sure that all the clients we build do
+// in fact do the fips thing right.
+
+/// Creates a reqwest client builder with TLS configuration.
+/// When the "fips" feature is enabled, it uses a FIPS-compliant TLS configuration.
+/// Otherwise, it uses reqwest's default rustls TLS implementation.
+#[cfg(not(feature = "fips"))]
+pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>> {
+    // Just return the default builder with rustls TLS
+    Ok(reqwest::Client::builder().use_rustls_tls())
+}
+
+/// Creates a reqwest client builder with FIPS-compliant TLS configuration.
+/// This version loads native root certificates and verifies FIPS compliance.
+#[cfg(feature = "fips")]
+pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>> {
+    // Get the runtime crypto provider that should have been configured elsewhere in the application
+    let provider =
+        rustls::crypto::CryptoProvider::get_default().ok_or("No crypto provider configured")?;
+
+    // Verify the provider is FIPS-compliant
+    if !provider.fips() {
+        return Err("Crypto provider is not FIPS-compliant".into());
+    }
+
+    // Create an empty root cert store
+    let mut root_cert_store = rustls::RootCertStore::empty();
+
+    // Load native certificates
+    let native_certs = rustls_native_certs::load_native_certs();
+
+    // Add the certificates to the store
+    let mut valid_count = 0;
+
+    for cert in native_certs.certs {
+        match root_cert_store.add(cert) {
+            Ok(()) => valid_count += 1,
+            Err(err) => {
+                // Optionally log errors
+                debug!("Failed to parse certificate: {:?}", err);
+            }
+        }
+    }
+
+    // Verify we have at least some valid certificates
+    if valid_count == 0 {
+        return Err("No valid certificates found in native root store".into());
+    }
+
+    // Configure TLS versions (FIPS typically requires TLS 1.2 or higher)
+    let versions = rustls::ALL_VERSIONS.to_vec();
+
+    // Build the client config
+    let config_builder = rustls::ClientConfig::builder_with_provider(provider.clone())
+        .with_protocol_versions(&versions)
+        .map_err(|_| "Failed to set protocol versions")?;
+
+    // Complete the configuration without client authentication
+    let config = config_builder
+        .with_root_certificates(root_cert_store)
+        .with_no_client_auth();
+
+    // Verify the final config is FIPS-compliant
+    if !config.fips() {
+        return Err("The final TLS configuration is not FIPS-compliant".into());
+    }
+    debug!("Client Builder is in FIPS mode");
+
+    // Create the reqwest client builder with our FIPS-compliant TLS configuration
+    let client_builder = reqwest::Client::builder().use_preconfigured_tls(config);
+
+    Ok(client_builder)
+}

bottlecap/src/fips.rs

@@ -1,5 +1,7 @@
 use crate::config;
+use crate::fips::create_reqwest_client_builder;
 use core::time::Duration;
+use std::error::Error;
 use std::sync::Arc;
 use tracing::error;
 
@@ -15,9 +17,8 @@ pub fn get_client(config: Arc<config::Config>) -> reqwest::Client {
     })
 }
 
-fn build_client(config: Arc<config::Config>) -> Result<reqwest::Client, reqwest::Error> {
-    let client = reqwest::Client::builder()
-        .use_rustls_tls()
+fn build_client(config: Arc<config::Config>) -> Result<reqwest::Client, Box<dyn Error>> {
+    let client = create_reqwest_client_builder()?
         .timeout(Duration::from_secs(config.flush_timeout))
         // Temporarily not force http2
         // Enable HTTP/2 for better multiplexing
@@ -36,8 +37,8 @@ fn build_client(config: Arc<config::Config>) -> Result<reqwest::Client, reqwest:
     // This covers DD_PROXY_HTTPS and HTTPS_PROXY
     if let Some(https_uri) = &config.https_proxy {
         let proxy = reqwest::Proxy::https(https_uri.clone())?;
-        client.proxy(proxy).build()
+        Ok(client.proxy(proxy).build()?)
     } else {
-        client.build()
+        Ok(client.build()?)
     }
 }

bottlecap/src/http_client.rs

@@ -20,6 +20,7 @@
 pub mod config;
 pub mod event_bus;
 pub mod events;
+pub mod fips;
 pub mod http_client;
 pub mod lifecycle;
 pub mod logger;

bottlecap/src/lib.rs

@@ -1,3 +1,6 @@
+use datadog_trace_agent::http_utils::{
+    log_and_create_http_response, log_and_create_traces_success_http_response,
+};
 use datadog_trace_utils::send_data::SendData;
 use datadog_trace_utils::trace_utils::TracerHeaderTags as DatadogTracerHeaderTags;
 use ddcommon::hyper_migration;
@@ -7,9 +10,6 @@ use std::io;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use tokio::sync::mpsc::Sender;
-use trace_agent::http_utils::{
-    log_and_create_http_response, log_and_create_traces_success_http_response,
-};
 use tracing::{debug, error};
 
 use crate::{