[fips] enable fips rustls by default

Igor Smolyar · igorscs · commit d5a90551464a · 2026-01-13T01:58:00.000Z
diff --git a/.github/workflows/build-rust.yml b/.github/workflows/build-rust.yml
@@ -69,10 +69,6 @@ jobs:
       - name: Build Rust binaries
         run: |
           FEATURES="${{ env.CARGO_FEATURES_BASE }}"
-          case "${{ matrix.target }}" in
-            *musl*) ;; # OpenSSL’s FIPS mode is implemented as a dynamically loaded provider (fips.so)
-            *) FEATURES="$FEATURES,fips" ;;
-          esac
           cargo build ${{ env.CARGO_FLAGS }} --features "$FEATURES" --target=${{ matrix.target }}
 
       - name: Print sccache stats
@@ -84,10 +80,6 @@ jobs:
         id: collect
         run: |
           FEATURES="${{ env.CARGO_FEATURES_BASE }}"
-          case "${{ matrix.target }}" in
-            *musl*) ;; # OpenSSL’s FIPS mode is implemented as a dynamically loaded provider (fips.so)
-            *) FEATURES="$FEATURES,fips" ;;
-          esac
           # Run again with --message-format=json to list out executables
           # (No real recompile since nothing has changed).
           # Then transform newlines to spaces for the artifact step.
diff --git a/crates/adapters/Cargo.toml b/crates/adapters/Cargo.toml
@@ -25,7 +25,6 @@ default = [
     "with-redis",
     "with-nats",
 ]
-fips = ["rustls/fips"]
 with-kafka = ["rdkafka"]
 with-deltalake = ["deltalake", "deltalake-catalog-unity"]
 with-iceberg = ["feldera-iceberg"]
@@ -110,7 +109,7 @@ utoipa = { workspace = true }
 chrono = { workspace = true, features = ["rkyv-64", "serde"] }
 colored = { workspace = true }
 uuid = { workspace = true, features = ["v4", "std"] }
-rustls = { workspace = true }
+rustls = { workspace = true, features = ["fips"] }
 rkyv = { workspace = true, features = ["std", "size_64"] }
 csv-core = { workspace = true }
 rand = { workspace = true, features = ["small_rng"] }
diff --git a/crates/pipeline-manager/Cargo.toml b/crates/pipeline-manager/Cargo.toml
@@ -23,10 +23,10 @@ feldera-types = { workspace = true }
 feldera-cloud1-client = { workspace = true }
 feldera-ir = { workspace = true }
 
-# Cryptography provider
+# Cryptography provider (FIPS enabled by default)
 # Make sure this is the same rustls version used by other crates in the dependency tree.
 # See the `ensure_default_crypto_provider` function at the root of this crate.
-rustls = { workspace = true }
+rustls = { workspace = true, features = ["fips"] }
 
 # Logging
 tracing = { workspace = true }
@@ -117,7 +117,6 @@ tikv-jemallocator = { workspace = true, features = ["profiling", "unprefixed_mal
 default = ["postgresql_embedded"]
 feldera-enterprise = []
 runtime-version = []
-fips = ["rustls/fips"]
 
 [build-dependencies]
 change-detection = { workspace = true }
