Skip to content

chore(agent-data-plane): switch to CNG for TLS backend on Windows#1887

Closed
tobz wants to merge 6 commits into
mainfrom
tobz/windows-cng-rustls
Closed

chore(agent-data-plane): switch to CNG for TLS backend on Windows#1887
tobz wants to merge 6 commits into
mainfrom
tobz/windows-cng-rustls

Conversation

@tobz

@tobz tobz commented Jun 18, 2026

Copy link
Copy Markdown
Member

Summary

This PR switches the rustls crypto provider backend to the native Microsoft crypto stack (CNG) for Windows builds.

Currently, we use AWS-LC for all platforms, which functionally is correct but has one big problem: FIPS validation on Windows. While AWS-LC FIPS 3.x is validated for Linux x86_64/aarch64, it is not validated for Windows at all. We don't want to spend time or energy trying to deal with auditors to argue about how it may or may not be fine to call it vendor-affirmed... we just want something that is unquestionably already validated.

This PR switches to using rustls-cng-crypto on Windows, which uses Cryptography API: Next Generation (CNG), a native cryptography library provided through Windows itself: nothing to bundle with ADP, it's just available for us. Additionally, Microsoft has already gone through the hard part of getting FIPS validation for CNG, which is the same approach that the Datadog Agent takes, actually, for delivering a FIPS compliant build on Windows.

In order to keep things simple, we're using the CNG backend for all Windows builds, rather than just Windows FIPS builds.

Change Type

  • Bug fix
  • New feature
  • Non-functional (chore, refactoring, docs)
  • Performance

How did you test this PR?

  • Ensure Windows builds pass in CI.
  • Ensure unit/integration tests on Windows pass in CI.
  • Try manually running the Windows FIPS build on Windows with and without FIPS enabled to validate functionality and fast-exit when FIPS is not enabled at the OS level.

References

DADP-2

@tobz tobz added the type/chore Updates to dependencies or general "administrative" tasks necessary to maintain the codebase/repo. label Jun 18, 2026
@dd-octo-sts dd-octo-sts Bot added area/core Core functionality, event model, etc. area/io General I/O and networking. area/components Sources, transforms, and destinations. area/ci CI/CD, automated testing, etc. area/observability Internal observability of ADP and Saluki. area/docs Reference documentation. labels Jun 18, 2026
@datadog-official

datadog-official Bot commented Jun 18, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/saluki | binary-size-analysis   View in Datadog   GitLab

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 3ff25a1 | Docs | Datadog PR Page | Give us feedback!

@pr-commenter

pr-commenter Bot commented Jun 18, 2026

Copy link
Copy Markdown

Binary Size Analysis (Agent Data Plane)

Baseline: 3ecd1e0 · Comparison: 95c806f · diff
Analysis Configuration: stripped binaries · Pass/Fail Threshold: +5%
Sizes: 40.14 MiB (baseline) vs 40.14 MiB (comparison)
Size Change: -3.38 KiB (-0.01%)

✅ Binary size difference within threshold

Changes by Module
Module File Size Symbols
anon.2fa28324a02dc2cb3900149cb35686de.52.llvm.3418522726393631319 -16.88 KiB 1
anon.71c1f068847d886324162068124709c1.350.llvm.9379758517637157945 +16.87 KiB 1
anon.b877a4b99663b9a18f303ea06c5c1c07.332.llvm.17587877288490555312 +13.81 KiB 1
anon.855bd1f3aab73739536d50907e521fa7.475.llvm.9358083748291856240 -13.81 KiB 1
serde_json +7.24 KiB 302
figment -7.20 KiB 589
anon.b5248c7eec540d89c1bfd951917b92fa.162.llvm.7763143091765776288 -6.71 KiB 1
anon.1cb8c6e8937c4f16fdf95f2e5b6f014e.37.llvm.18077089214102119663 +6.71 KiB 1
anon.c25c913790dfde6cb211f8aa59520815.13.llvm.2062042948546246284 +3.99 KiB 1
anon.25fa2e408a4a946d9ec085a90869887e.76.llvm.12941989099647424432 -3.89 KiB 1
anon.194d1be3d199b145fb3766a52e636968.198.llvm.6369226200542766776 -3.65 KiB 1
anon.b3d5d5fd69872b9304f15a2c9b377da7.6.llvm.7212443817926700567 +3.65 KiB 1
anon.4e30bd26b3561b4178ac48831e5a00b4.42.llvm.16543335135297065867 +3.37 KiB 1
anon.0e1e4e06a12a3c063e051bbfece290e0.19.llvm.6266863115024496749 -3.37 KiB 1
anon.d23c0c8ca569ba72493d848fa7c83d36.170.llvm.6694125141233978070 +2.51 KiB 1
anon.fd03a20a89b32c575f637581657456fa.408.llvm.17365976457567941112 -2.42 KiB 1
anon.ebb7a16da84e2cc5e233b01b11a3a88f.6.llvm.8923889183898943507 +2.29 KiB 1
anon.7daafba63a900654bbfacd253692a086.207.llvm.16753606868781701738 -2.29 KiB 1
anon.30e71497def4fdc34a015015a6b4dac6.23.llvm.3028058820121641681 -2.04 KiB 1
anon.1cb8c6e8937c4f16fdf95f2e5b6f014e.121.llvm.18077089214102119663 +2.04 KiB 1
Detailed Symbol Changes
    FILE SIZE        VM SIZE    
 --------------  -------------- 
  [NEW] +53.7Ki  [NEW] +53.5Ki    saluki_components::common::datadog::io::run_endpoint_io_loop::_{{closure}}::h66dfb5414f5efbeb
  [NEW] +39.0Ki  [NEW] +38.9Ki    agent_data_plane::cli::run::handle_run_command::_{{closure}}::h9aa1f8e38fb5c7b4
  [NEW] +38.4Ki  [NEW] +38.2Ki    _<saluki_components::forwarders::otlp::OtlpForwarder as saluki_core::components::forwarders::Forwarder>::run::_{{closure}}::hff9b207e8dab275c
  [NEW] +35.6Ki  [NEW] +35.4Ki    _<saluki_components::transforms::aggregate::Aggregate as saluki_core::components::transforms::Transform>::run::_{{closure}}::hfc99b1baa8c55df4
  [NEW] +30.3Ki  [NEW] +30.2Ki    agent_data_plane::cli::dogstatsd::handle_dogstatsd_command::_{{closure}}::h93976a1361b11e09
  [NEW] +28.2Ki  [NEW] +28.1Ki    saluki_components::sources::otlp::metrics::translator::OtlpMetricsTranslator::translate_metrics::he463211af758f070
  [NEW] +26.0Ki  [NEW] +25.7Ki    _<saluki_components::sources::dogstatsd::_::<impl serde_core::de::Deserialize for saluki_components::sources::dogstatsd::DogStatsDConfiguration>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map::h91072d65b3d1c713
  [NEW] +25.2Ki  [NEW] +25.1Ki    saluki_components::sources::dogstatsd::drive_stream::_{{closure}}::hf1c4e303cd789b90
  [NEW] +25.1Ki  [NEW] +24.9Ki    core::ptr::drop_in_place<agent_data_plane::cli::run::handle_run_command::{{closure}}>::hf50f0ab48cee15dd
  [NEW] +24.7Ki  [NEW] +24.6Ki    agent_data_plane::internal::remote_agent::run_remote_agent_registration_loop::_{{closure}}::h01c1bf96153869fa
  -0.0% -3.31Ki  -0.0%     -60    [43284 Others]
  [DEL] -24.8Ki  [DEL] -24.6Ki    agent_data_plane::internal::remote_agent::run_remote_agent_registration_loop::_{{closure}}::h0ea8a652c7dd684c
  [DEL] -25.1Ki  [DEL] -24.9Ki    core::ptr::drop_in_place<agent_data_plane::cli::run::handle_run_command::{{closure}}>::h1739dc110e7bcef0
  [DEL] -25.2Ki  [DEL] -25.1Ki    saluki_components::sources::dogstatsd::drive_stream::_{{closure}}::h1d388399401be1d7
  [DEL] -26.0Ki  [DEL] -25.7Ki    _<saluki_components::sources::dogstatsd::_::<impl serde_core::de::Deserialize for saluki_components::sources::dogstatsd::DogStatsDConfiguration>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map::h965fa601ee3e4b25
  [DEL] -28.2Ki  [DEL] -28.1Ki    saluki_components::sources::otlp::metrics::translator::OtlpMetricsTranslator::translate_metrics::h25eea425da8db242
  [DEL] -30.3Ki  [DEL] -30.2Ki    agent_data_plane::cli::dogstatsd::handle_dogstatsd_command::_{{closure}}::h07109a4b4c5e1085
  [DEL] -35.5Ki  [DEL] -35.3Ki    _<saluki_components::transforms::aggregate::Aggregate as saluki_core::components::transforms::Transform>::run::_{{closure}}::hbad4d16da3c86eb9
  [DEL] -38.4Ki  [DEL] -38.2Ki    _<saluki_components::forwarders::otlp::OtlpForwarder as saluki_core::components::forwarders::Forwarder>::run::_{{closure}}::he152d08259d7cb93
  [DEL] -39.0Ki  [DEL] -38.9Ki    agent_data_plane::cli::run::handle_run_command::_{{closure}}::h70312369dcc72c92
  [DEL] -53.8Ki  [DEL] -53.6Ki    saluki_components::common::datadog::io::run_endpoint_io_loop::_{{closure}}::h2f62230e50a7cd8f
  -0.0% -3.38Ki  -0.0%    -132    TOTAL

@pr-commenter

pr-commenter Bot commented Jun 18, 2026

Copy link
Copy Markdown

Regression Detector (Agent Data Plane)

Run ID: 218cad3b-97bd-475a-b67b-73d9f89d2a35
Baseline: 35ec8390 · Comparison: 3ff25a1d · diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment (35)

Experiments configured erratic: true are tagged (ignored) and skipped when determining which experiments regressed or improved. Experiments which are detected as erratic at runtime are tagged (erratic) to flag that the run's sample dispersion was high, but their regression / improvement signal still counts.

experiment goal Δ mean % links
dsd_uds_512kb_3k_contexts_cpu (erratic) cpu ⚪ +8.98 metrics profiles logs
otlp_ingest_logs_5mb_memory (ignored) memory ⚪ +3.18 metrics profiles logs
dsd_uds_500mb_3k_contexts_throughput throughput ⚪ -2.38 metrics profiles logs
otlp_ingest_metrics_5mb_cpu (erratic) cpu ⚪ +2.12 metrics profiles logs
otlp_ingest_logs_5mb_cpu (ignored) cpu ⚪ +1.18 metrics profiles logs
otlp_ingest_traces_ottl_transform_5mb_cpu (erratic) cpu ⚪ +0.57 metrics profiles logs
dsd_uds_10mb_3k_contexts_cpu (erratic) cpu ⚪ +0.40 metrics profiles logs
quality_gates_rss_dsd_heavy memory ⚪ +0.30 metrics profiles logs
otlp_ingest_traces_5mb_memory memory ⚪ +0.27 metrics profiles logs
otlp_ingest_traces_ottl_filtering_5mb_throughput throughput ⚪ -0.22 metrics profiles logs
otlp_ingest_traces_ottl_filtering_5mb_memory memory ⚪ +0.18 metrics profiles logs
dsd_uds_500mb_3k_contexts_cpu (erratic) cpu ⚪ +0.13 metrics profiles logs
dsd_uds_10mb_3k_contexts_memory memory ⚪ +0.12 metrics profiles logs
otlp_ingest_traces_ottl_transform_5mb_memory memory ⚪ +0.04 metrics profiles logs
dsd_uds_1mb_3k_contexts_cpu (erratic) cpu ⚪ +0.02 metrics profiles logs
otlp_ingest_traces_ottl_transform_5mb_throughput throughput ⚪ -0.02 metrics profiles logs
otlp_ingest_metrics_5mb_throughput throughput ⚪ -0.02 metrics profiles logs
dsd_uds_100mb_3k_contexts_memory memory ⚪ +0.01 metrics profiles logs
dsd_uds_1mb_3k_contexts_throughput throughput ⚪ -0.00 metrics profiles logs
dsd_uds_1mb_3k_contexts_memory memory ⚪ +0.00 metrics profiles logs
otlp_ingest_metrics_5mb_memory memory ⚪ -0.00 metrics profiles logs
dsd_uds_512kb_3k_contexts_throughput throughput ⚪ +0.00 metrics profiles logs
otlp_ingest_logs_5mb_throughput (ignored) throughput ⚪ +0.00 metrics profiles logs
dsd_uds_100mb_3k_contexts_throughput throughput ⚪ +0.01 metrics profiles logs
dsd_uds_10mb_3k_contexts_throughput throughput ⚪ +0.02 metrics profiles logs
quality_gates_rss_idle memory ⚪ -0.07 metrics profiles logs
quality_gates_rss_dsd_medium memory ⚪ -0.07 metrics profiles logs
otlp_ingest_traces_5mb_throughput throughput ⚪ +0.09 metrics profiles logs
quality_gates_rss_dsd_ultraheavy memory ⚪ -0.15 metrics profiles logs
dsd_uds_512kb_3k_contexts_memory memory ⚪ -0.18 metrics profiles logs
quality_gates_rss_dsd_low memory ⚪ -0.25 metrics profiles logs
dsd_uds_500mb_3k_contexts_memory memory ⚪ -0.40 metrics profiles logs
otlp_ingest_traces_ottl_filtering_5mb_cpu (erratic) cpu ⚪ -0.66 metrics profiles logs
otlp_ingest_traces_5mb_cpu (erratic) cpu ⚪ -1.86 metrics profiles logs
dsd_uds_100mb_3k_contexts_cpu (erratic) cpu ⚪ -1.86 metrics profiles logs
Bounds Checks: ❌ Failed (5)
experiment check replicates observed links
quality_gates_rss_dsd_heavy memory_usage 9/10 ❌ 140 MiB ≤ 140 MiB metrics profiles logs
quality_gates_rss_dsd_low memory_usage 10/10 ✅ 42.3 MiB ≤ 50 MiB metrics profiles logs
quality_gates_rss_dsd_medium memory_usage 10/10 ✅ 64.4 MiB ≤ 75 MiB metrics profiles logs
quality_gates_rss_dsd_ultraheavy memory_usage 10/10 ✅ 192 MiB ≤ 200 MiB metrics profiles logs
quality_gates_rss_idle memory_usage 10/10 ✅ 28.4 MiB ≤ 40 MiB metrics profiles logs
Explanation

A change is flagged as a regression when |Δ mean %| > 5.00% in the regressing direction for its optimization goal AND SMP marks the experiment as a regression (is_regression: true). Improvements use the matching criteria for the improving direction. Experiments configured erratic: true (tagged (ignored)) are skipped outright; experiments detected as erratic at runtime (tagged (erratic)) still count, since that flag describes sample dispersion rather than directional certainty. The Δ mean % cell is colored accordingly: 🟢 = improvement, 🔴 = regression, ⚪ = neutral. Reduction in CPU or memory is an improvement; reduction in ingress throughput is a regression.

@tobz tobz marked this pull request as ready for review June 18, 2026 16:18
@tobz tobz requested a review from a team as a code owner June 18, 2026 16:18

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c4d366e06b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread Cargo.toml
# see `saluki-tls`. Pinned to an upstream commit past the 0.1.0 crates.io release: 0.1.0 directly depends
# on rustls-webpki 0.102 (open RUSTSEC advisories), which upstream has since dropped (alg_id now comes from
# rustls-pki-types). Switch back to a crates.io version once a release newer than 0.1.0 is published.
rustls-cng-crypto = { git = "https://github.com/tofay/rustls-cng-crypto", rev = "955b52e27ac76041e04459122ab4652875ab39a8", default-features = false, features = ["tls12"] }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Patch the broken CNG AES-256 ECDSA suite

At the pinned rustls-cng-crypto rev 955b52e, its TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 suite is wired to AES_128_GCM; because this change installs that provider for Windows, any Windows TLS 1.2 connection to an ECDSA endpoint that selects that common AES-256 suite derives the wrong traffic keys and fails during the handshake/first record. Please filter that suite with a custom provider or patch/fork the provider before making it the Windows default.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will fix this bug and others we are finding in rustls-cng-crypto in a fork of that repository

Comment thread ci/tooling/package-adp-zip.ps1 Outdated
Comment thread ci/tooling/package-adp-zip.ps1 Outdated
Comment thread ci/tooling/windows-build-adp.ps1 Outdated
Comment thread ci/tooling/windows-rust-env.psm1 Outdated
Comment thread lib/saluki-components/Cargo.toml Outdated

@thieman thieman left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for now but we need to fix some of the issues in rustls-cng-crypto and switch to our fork before merging this, or at least before our next release

@tobz tobz force-pushed the tobz/windows-cng-rustls branch from 95c806f to 3ff25a1 Compare June 18, 2026 18:58

tobz commented Jun 18, 2026

Copy link
Copy Markdown
Member Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@tobz

tobz commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

Closing in favor of #1929

@tobz tobz closed this Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci CI/CD, automated testing, etc. area/components Sources, transforms, and destinations. area/core Core functionality, event model, etc. area/docs Reference documentation. area/io General I/O and networking. area/observability Internal observability of ADP and Saluki. type/chore Updates to dependencies or general "administrative" tasks necessary to maintain the codebase/repo.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants