Vector implements cryptography and secure communication using the OpenSSL library. In particular, the official Vector binaries are statically linked against OpenSSL version 3.1 and do not use any OpenSSL library installed on the running system.
Note: OpenSSL recognizes a number of environment variables independently of Vector.
Trusted certificates (also called certificate authorities) are used for client and server verification.
By default, OpenSSL looks for trusted certificates in the following locations:
- A single file containing several certificates specified by the
- A directory containing multiple certificate files specified by the
In addition, Vector also looks for trusted certificates in the following locations:
- Probing of common default locations widely used by current operating systems.
Note: It is possible to use specific trusted certificates only for Vector using
The OpenSSL library in Vector can be configured using a configuration file.
By default, OpenSSL looks for a configuration file in the following locations:
- A configuration file specified by the
- The predefined
Note: It is possible to use specific OpenSSL configurations only for Vector using the
In OpenSSL, a provider is a code module that provides one or more implementations for various operations and algorithms used for cryptography and secure communication.
OpenSSL provides a number of its own providers. The most important ones for Vector are:
- The default provider. This provider is built in as part of the libcrypto library and contains all of the most commonly used modern and secure algorithm implementations.
- The legacy provider. This provider is a dynamically loadable module, and must therefore be loaded and configured explicitly, using an OpenSSL configuration. It contains algorithm implementations that are considered insecure, or are no longer in common use such as MD2 or RC4.
- The FIPS provider. This provider is a dynamically loadable module, and must therefore be loaded and configured explicitly, using an OpenSSL configuration. It contains algorithm implementations that have been validated according to the FIPS 140-2 standard.
By default, the OpenSSL library in Vector uses the default provider which includes modern and secure algorithm implementations. If necessary, the legacy provider can be used instead for deployments where older and more insecure algorithms are still in use.
To use the legacy provider in Vector, first create an OpenSSL configuration file as follows:
openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1
Then, run Vector with
OPENSSL_CONF set to the path where the file above can be found:
OPENSSL_CONF=/path/to/openssl-legacy.cnf \ vector --config /path/to/vector.yaml
Note: If the above configuration file is saved in
/usr/local/ssl/openssl.cnf Vector automatically
finds it without using
OPENSSL_CONF. However, this approach is not recommended because other applications
in the running system may also use this file and unintentionally switch to the legacy provider.
Not all versions of the OpenSSL FIPS module have been validated. However, it is possible to use previous validated versions of the FIPS module with newer versions of OpenSSL, such as the version used in Vector. This use case is also documented in the installation instructions linked above.
Once the FIPS module is installed and configured, a
fips.so (on Unix) or
fips.dll (on Windows)
module file, and a
fipsmodule.cnf configuration file should be available to use in Vector.
An OpenSSL configuration file must be then created as follows:
config_diagnostics = 1 openssl_conf = openssl_init .include /path/to/fipsmodule.cnf [openssl_init] providers = provider_sect alg_section = algorithm_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1 [algorithm_sect] default_properties = fips=yes
Then, run Vector with
OPENSSL_CONF set to the path where the file above can be found and
OPENSSL_MODULES set to the path where the FIPS module files are installed:
OPENSSL_CONF=/path/to/openssl-fips.cnf \ OPENSSL_MODULES=/path/to/fips-modules \ vector --config /path/to/vector.yaml
Note: If the running system already has a system-wide OpenSSL FIPS installation and an OpenSSL configuration file for it, Vector can also use them directly with the above environment variables.