From 08de065db947f06d9caac0b2bf4ddc12cd8fe87c Mon Sep 17 00:00:00 2001
From: Mac L <mjladson@pm.me>
Date: Sat, 7 Feb 2026 22:50:47 +1100
Subject: [PATCH 1/3] Remove openssl

---
 Cargo.lock                                    | 268 ++++++++++--------
 Cargo.toml                                    |   1 -
 .../initialized_validators/Cargo.toml         |   2 +
 .../initialized_validators/src/lib.rs         |  25 +-
 4 files changed, 171 insertions(+), 125 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0d045371294..40a09bf1bd7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1481,6 +1481,15 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "block-padding"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "block2"
 version = "0.6.2"
@@ -1694,6 +1703,15 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
 
+[[package]]
+name = "cbc"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "cc"
 version = "1.2.49"
@@ -1923,6 +1941,18 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "cms"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b77c319abfd5219629c45c34c89ba945ed3c5e49fcde9d16b6c3885f118a730"
+dependencies = [
+ "const-oid",
+ "der",
+ "spki",
+ "x509-cert",
+]
+
 [[package]]
 name = "colorchoice"
 version = "1.0.4"
@@ -2492,6 +2522,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
 dependencies = [
  "const-oid",
+ "der_derive",
+ "flagset",
+ "pem-rfc7468",
  "zeroize",
 ]
 
@@ -2509,6 +2542,17 @@ dependencies = [
  "rusticata-macros",
 ]
 
+[[package]]
+name = "der_derive"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.111",
+]
+
 [[package]]
 name = "deranged"
 version = "0.5.5"
@@ -2577,6 +2621,15 @@ dependencies = [
  "unicode-xid",
 ]
 
+[[package]]
+name = "des"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "digest"
 version = "0.9.0"
@@ -3486,6 +3539,12 @@ dependencies = [
  "safe_arith",
 ]
 
+[[package]]
+name = "flagset"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7ac824320a75a52197e8f2d787f6a38b6718bb6897a35142d749af3c0e8f4fe"
+
 [[package]]
 name = "flate2"
 version = "1.1.5"
@@ -3516,21 +3575,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 
-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared",
-]
-
-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "fork_choice"
 version = "0.1.0"
@@ -4307,22 +4351,6 @@ dependencies = [
  "tower-service",
 ]
 
-[[package]]
-name = "hyper-tls"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
-dependencies = [
- "bytes",
- "http-body-util",
- "hyper 1.8.1",
- "hyper-util",
- "native-tls",
- "tokio",
- "tokio-native-tls",
- "tower-service",
-]
-
 [[package]]
 name = "hyper-util"
 version = "0.1.19"
@@ -4598,7 +4626,9 @@ dependencies = [
  "filesystem",
  "lockfile",
  "metrics",
+ "p12-keystore",
  "parking_lot",
+ "pem",
  "rand 0.9.2",
  "reqwest",
  "serde",
@@ -4619,6 +4649,7 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
 dependencies = [
+ "block-padding",
  "generic-array",
 ]
 
@@ -5949,23 +5980,6 @@ dependencies = [
  "unsigned-varint",
 ]
 
-[[package]]
-name = "native-tls"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework 2.11.1",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "netlink-packet-core"
 version = "0.7.0"
@@ -6350,60 +6364,12 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
-[[package]]
-name = "openssl"
-version = "0.10.75"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
-dependencies = [
- "bitflags 2.10.0",
- "cfg-if",
- "foreign-types",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.111",
-]
-
 [[package]]
 name = "openssl-probe"
 version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
-[[package]]
-name = "openssl-src"
-version = "300.5.4+3.5.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a507b3792995dae9b0df8a1c1e3771e8418b7c2d9f0baeba32e6fe8b06c7cb72"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "openssl-sys"
-version = "0.9.111"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321"
-dependencies = [
- "cc",
- "libc",
- "openssl-src",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "opentelemetry"
 version = "0.30.0"
@@ -6504,6 +6470,29 @@ dependencies = [
  "types",
 ]
 
+[[package]]
+name = "p12-keystore"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8d55319bae67f92141ce4da80c5392acd3d1323bd8312c1ffdfb018927d07d7"
+dependencies = [
+ "base64 0.22.1",
+ "cbc",
+ "cms",
+ "der",
+ "des",
+ "hex",
+ "hmac",
+ "pkcs12",
+ "pkcs5",
+ "rand 0.9.2",
+ "rc2",
+ "sha1",
+ "sha2",
+ "thiserror 2.0.17",
+ "x509-parser",
+]
+
 [[package]]
 name = "page_size"
 version = "0.6.0"
@@ -6606,6 +6595,15 @@ dependencies = [
  "serde_core",
 ]
 
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.2"
@@ -6654,6 +6652,36 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "pkcs12"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "695b3df3d3cc1015f12d70235e35b6b79befc5fa7a9b95b951eab1dd07c9efc2"
+dependencies = [
+ "cms",
+ "const-oid",
+ "der",
+ "digest 0.10.7",
+ "spki",
+ "x509-cert",
+ "zeroize",
+]
+
+[[package]]
+name = "pkcs5"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6"
+dependencies = [
+ "aes",
+ "cbc",
+ "der",
+ "pbkdf2",
+ "scrypt",
+ "sha2",
+ "spki",
+]
+
 [[package]]
 name = "pkcs8"
 version = "0.10.2"
@@ -7252,6 +7280,15 @@ dependencies = [
  "crossbeam-utils",
 ]
 
+[[package]]
+name = "rc2"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62c64daa8e9438b84aaae55010a93f396f8e60e3911590fcba770d04643fc1dd"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "rcgen"
 version = "0.13.2"
@@ -7359,11 +7396,9 @@ dependencies = [
  "http-body-util",
  "hyper 1.8.1",
  "hyper-rustls",
- "hyper-tls",
  "hyper-util",
  "js-sys",
  "log",
- "native-tls",
  "percent-encoding",
  "pin-project-lite",
  "quinn",
@@ -7374,7 +7409,6 @@ dependencies = [
  "serde_urlencoded",
  "sync_wrapper",
  "tokio",
- "tokio-native-tls",
  "tokio-rustls 0.26.4",
  "tokio-util",
  "tower 0.5.2",
@@ -7643,7 +7677,7 @@ dependencies = [
  "openssl-probe",
  "rustls-pki-types",
  "schannel",
- "security-framework 3.5.1",
+ "security-framework",
 ]
 
 [[package]]
@@ -7846,19 +7880,6 @@ dependencies = [
  "cc",
 ]
 
-[[package]]
-name = "security-framework"
-version = "2.11.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
-dependencies = [
- "bitflags 2.10.0",
- "core-foundation 0.9.4",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
 [[package]]
 name = "security-framework"
 version = "3.5.1"
@@ -8909,16 +8930,6 @@ dependencies = [
  "syn 2.0.111",
 ]
 
-[[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
-dependencies = [
- "native-tls",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.25.0"
@@ -10400,6 +10411,17 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "x509-cert"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94"
+dependencies = [
+ "const-oid",
+ "der",
+ "spki",
+]
+
 [[package]]
 name = "x509-parser"
 version = "0.17.0"
diff --git a/Cargo.toml b/Cargo.toml
index 4e28b124ede..f08fa884291 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -224,7 +224,6 @@ reqwest = { version = "0.12", default-features = false, features = [
     "json",
     "stream",
     "rustls-tls",
-    "native-tls-vendored",
 ] }
 ring = "0.17"
 rpds = "0.11"
diff --git a/validator_client/initialized_validators/Cargo.toml b/validator_client/initialized_validators/Cargo.toml
index 8b2ae62aea3..53191ffe1ee 100644
--- a/validator_client/initialized_validators/Cargo.toml
+++ b/validator_client/initialized_validators/Cargo.toml
@@ -12,7 +12,9 @@ eth2_keystore = { workspace = true }
 filesystem = { workspace = true }
 lockfile = { workspace = true }
 metrics = { workspace = true }
+p12-keystore = "0.2"
 parking_lot = { workspace = true }
+pem = "3"
 rand = { workspace = true }
 reqwest = { workspace = true }
 serde = { workspace = true }
diff --git a/validator_client/initialized_validators/src/lib.rs b/validator_client/initialized_validators/src/lib.rs
index db6d03174dd..8928e4f5084 100644
--- a/validator_client/initialized_validators/src/lib.rs
+++ b/validator_client/initialized_validators/src/lib.rs
@@ -397,6 +397,7 @@ pub fn load_pem_certificate<P: AsRef<Path>>(pem_path: P) -> Result<Certificate,
     Certificate::from_pem(&buf).map_err(Error::InvalidWeb3SignerRootCertificate)
 }
 
+// Read a PKCS12 identity certificate and parse it into a PEM certificate.
 pub fn load_pkcs12_identity<P: AsRef<Path>>(
     pkcs12_path: P,
     password: &str,
@@ -406,7 +407,29 @@ pub fn load_pkcs12_identity<P: AsRef<Path>>(
         .map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?
         .read_to_end(&mut buf)
         .map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?;
-    Identity::from_pkcs12_der(&buf, password)
+
+    let keystore = p12_keystore::KeyStore::from_pkcs12(&buf, password).map_err(|e| {
+        Error::InvalidWeb3SignerClientIdentityCertificateFile(io::Error::new(
+            io::ErrorKind::InvalidData,
+            format!("PKCS12 parse error: {e:?}"),
+        ))
+    })?;
+
+    let (_alias, key_chain) = keystore
+        .private_key_chain()
+        .ok_or(Error::MissingWeb3SignerClientIdentityCertificateFile)?;
+
+    let key_pem = pem::encode(&pem::Pem::new("PRIVATE KEY", key_chain.key()));
+    let certs_pem: String = key_chain
+        .chain()
+        .iter()
+        .map(|cert| pem::encode(&pem::Pem::new("CERTIFICATE", cert.as_der())))
+        .collect::<Vec<_>>()
+        .join("\n");
+
+    let combined_pem = format!("{key_pem}\n{certs_pem}");
+
+    Identity::from_pem(combined_pem.as_bytes())
         .map_err(Error::InvalidWeb3SignerClientIdentityCertificate)
 }
 

From 8ea68c29bc98e0387b4dc105acf956ea2dbc9ac6 Mon Sep 17 00:00:00 2001
From: Mac L <mjladson@pm.me>
Date: Sat, 7 Feb 2026 23:05:50 +1100
Subject: [PATCH 2/3] Try removing legacy key for MacOS

---
 testing/web3signer_tests/src/lib.rs              |   6 +-----
 testing/web3signer_tests/tls/generate.sh         |   8 --------
 .../tls/lighthouse/key_legacy.p12                | Bin 4221 -> 0 bytes
 3 files changed, 1 insertion(+), 13 deletions(-)
 delete mode 100644 testing/web3signer_tests/tls/lighthouse/key_legacy.p12

diff --git a/testing/web3signer_tests/src/lib.rs b/testing/web3signer_tests/src/lib.rs
index 0483f615386..4b9432b67b3 100644
--- a/testing/web3signer_tests/src/lib.rs
+++ b/testing/web3signer_tests/src/lib.rs
@@ -137,11 +137,7 @@ mod tests {
     }
 
     fn client_identity_path() -> PathBuf {
-        if cfg!(target_os = "macos") {
-            tls_dir().join("lighthouse").join("key_legacy.p12")
-        } else {
-            tls_dir().join("lighthouse").join("key.p12")
-        }
+        tls_dir().join("lighthouse").join("key.p12")
     }
 
     fn client_identity_password() -> String {
diff --git a/testing/web3signer_tests/tls/generate.sh b/testing/web3signer_tests/tls/generate.sh
index 3b14dbddba3..31900d5d902 100755
--- a/testing/web3signer_tests/tls/generate.sh
+++ b/testing/web3signer_tests/tls/generate.sh
@@ -1,12 +1,5 @@
 #!/bin/bash
 
-# The lighthouse/key_legacy.p12 file is generated specifically for macOS because the default `openssl pkcs12` encoding
-# algorithm in OpenSSL v3 is not compatible with the PKCS algorithm used by the Apple Security Framework. The client
-# side (using the reqwest crate) relies on the Apple Security Framework to parse PKCS files.
-# We don't need to generate web3signer/key_legacy.p12 because the compatibility issue doesn't occur on the web3signer
-# side. It seems that web3signer (Java) uses its own implementation to parse PKCS files.
-# See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2469252651
-
 # We specify `-days 825` when generating the certificate files because Apple requires TLS server certificates to have a
 # validity period of 825 days or fewer.
 # See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2474979183
@@ -16,5 +9,4 @@ openssl pkcs12 -export -out web3signer/key.p12 -inkey web3signer/key.key -in web
 cp web3signer/cert.pem lighthouse/web3signer.pem &&
 openssl req -x509 -sha256 -nodes -days 825 -newkey rsa:4096 -keyout lighthouse/key.key -out lighthouse/cert.pem -config lighthouse/config &&
 openssl pkcs12 -export -out lighthouse/key.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
-openssl pkcs12 -export -legacy -out lighthouse/key_legacy.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
 openssl x509 -noout -fingerprint -sha256 -inform pem -in lighthouse/cert.pem | cut -b 20-| sed "s/^/lighthouse /" > web3signer/known_clients.txt
diff --git a/testing/web3signer_tests/tls/lighthouse/key_legacy.p12 b/testing/web3signer_tests/tls/lighthouse/key_legacy.p12
deleted file mode 100644
index c3394fae9af893142c035e087fa752c5225eefde..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4221
zcmV-@5Q6V8f)IHE0Ru3C5I+V9Duzgg_YDCD0ic2qFa&}SEHHu)C@_KsUj_*(hDe6@
z4FLxRpn?WaFoFh50s#Opf(Atf2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=xX|o@
zlk;I>0s;sCfPw}XdgI(fT@^x}(`3PBdm*Ho@y&3CpRAjR6oM;$OHD}Ua=k?g4zRjN
z&8&g~)8unA{ALdXZg=g;)g_slEs!#9S%wqAuQ9vt%lJl@;8lFZ&6UT;<YaR^AhEOb
zdIS3`9X@`N8aHVd>pa$K>LMD^cWp><Y8ch?HE#?bev^o)R*5)LJrw4A?k<BA!{4|X
zUG4r|=`8~mSvsNOG$IK*+}wK3R5Zo^lV{&23X8<8>u;r*zC(?(!;$|*(0aLS$qhYu
zTUgS;*sYz^t`G*GC+Skgl#0|qKv<Lb+#P{HE6yN6-PG3zwf^WP_M0ua@@~<V<@Av_
zU#&i5g~Px?JDpkYYRx(kt2D<KZz`eBFR;-1$sTYmC&!-PKl@4`@nX+dukF6L6rHQ)
zkOO~Nt6Rsc6qZbpc<y;-;>?N;A-OurZSTalB{C-jKhOb8Qg*%==NrW?1Ka?H1<^kC
zue}11j^=3pMz#^>B3~l50cex-pzF2+8OR2@G&0Edt)CF?UCE4=0f9|Q6R|uFcjbvM
zR_LAYTuTbh`C7H_|DomHrEwW4E4D+eWVkla@DoY2_pUjGAy@4)Wi%b9fsYk0!Q#Ag
zY<>;7{uPXBt`%R8`x5>p|K;X@8^Rc`>tj)HetCd0L19U_dJK%G!*TP$Rc_!1sIN>T
zD5(N@bD{y~f!>+3S!MN?vZQ@{tddtUB;b1g{(;S!qSd!|$DYcR2M?9{XtT$tV)Xx>
ziB3zY%M`h=peo>SQ5)#hy0v#Q>P#sspt2IwAF4o8o0G$oUs=EXZ=%4@2z8kl*j3Ec
zVc^gkVWRzuvmsz?%lMR%3EYOkZL5XnR`$D?Q$Iw%O%XAb2Pg_R1;HCIjHZj)1x&*_
zRCC%P)vVbEGfWIw_!6XWXc;afqfFAy#<jL5Z!1SwGKh0Eg38s52KmNmPWB=96=k=f
zVME1vT!46s9HS!zw1=EX-G{DDKl|ahGzuQ>1U49mjnYUj5N^HDS+2r(i==k-YVmjQ
z2|m4l^rSSC4Dl=99viQsIx<Xlw&bU@b^zH6>r+UH3))Ww$a>d|C6V$6eU4gHE;j(_
z>p?L&Nm!zGY2vN-?C^B5QJ^1ptFYZ^C*w1t@!WXSjpMOgpN`JhxJ8yBpKV}mSPbyf
z*BL79><B-Cl7}=Q$hL(txfx}mK5_}MGOXwtR596gvc0lDtI??k!1~`7r<J>gSq2=V
z#>e_HOKlAOHY4@PUzNxM_T+@VMne>uwus>crfR^LJG1&|88u@r(^Y+;rBf`C!Raid
z%PAU;<Rh2_uJm0Rr$bhx@(F{`T*k0lRzQkG?UX((R8Pw(D`x#|iF%h<l!p1g){SQJ
zhCKmhzRN~G59!x|%T`P>+_Dr^a;*tycT)F-%8$-m4)+8*U>Xe1;k%#E1!jAwmFmBA
zvRML7E9?a5oYvr$`|<%EbZcw1cmDKrH>Z_%pGCyVTqTl%V+Mi)FJ6mwVYTq#DFy69
z<*zy*L3T@(W)O#RGwFEY<%jLD&Mt605;axuN*{<nLEC7FOxx3+Jb9Q!%JKkYC%tB@
zfbjhHh2Abu+%Z~Uye|)f{7W1=4e1M>9n?9dVRy@?1<v9Q0z@g0IQ}*2`Mt+WH6EUO
z3B?lTVF~{J0dBOtUrDiCp49(I89geMi-wF>5J3JZv&;$bY=%mU%PDmr9;p+I{m9RV
z*ZkNIEGA^t-xv%`w+RS?LiL3ZdNODCDyWG>qPtyuF@H7p`*#PPU^2$yLbMe~L=Qsh
zgJu`z;rx8@cK_p?vYqz0a7|#ggYFRef;#0BM2J_+A7xU7JmgbKPt}FNP-XT5QMja&
zpiqA@fBcb)mmr;xJ@nnOis5axzEay6(F3MqNK#cOYOkB&AlX0E?%f{<dF%1(dt-X(
z8g;`Zr7tl%pCi~s`q|mx5CX97NIul8YM$h4=;=WG=!*e*#qe9{O2?B8#C=Yn$dNMW
zyCZT+fR}C`pTN!N%^pl7F;U0m+ca<y@=L~O!kXJsj2tS0QUZrF_{jxd&64sV=AkqX
zsf#5du0)OAH0ySCFoFre1_>&LNQU<f0S5t~f(fz&f(foLf(fcHf(fPu3o3?4hW8Bt
z3<?1Ppn?f*FoFqcFdPO7Duzgg_YDCI0Ru1&1PCbI9`3^iI-UXo2ml0v2}obQAhOq_
z*;9MFE*9_Wl3FqF@cw4o##nhMd=oF8A)!&7t&N&Uym53UDSXyxhPt39iP%aUDv&Pq
z^E^yezN(WHvAMCF+E!^ANDw+%X;(%Y@d#D3KrH9Ws82M=L)E8snEFOOu5W6XGj^p>
zF1^c{btRsP&MF&>=zph=`XWp8fEfg=+m`t)B+ABMTxUG<7s2BDQ0V!*x#yP1iaSIs
zc+rect$YCR%0>qT!|-m&<JNsLkOE7X@PL6W@A~+Tw83rd2g&i>=~mCQB_gjzMgj0&
zX4g-Jf>)mb!19Ol=-z<joWjf&^J`d&F5xaa{xqy@s~MI)!-{W#@Y%yVxUYu<S_W{(
zT$Ar`E@hq(t8h6NNar(NLQh~D-*Nk<GJNX*ieven>K!>{>FjwM1IM>H7{iqu{o58m
zMnod1G!^M~+Aw79%$N+1^2P1h4X~Z(<X?s`EKbd2y6f7a`1oET2&saH4udd&@4P8>
ze|&U{tSs#*?3_BwL0bb2>@ARsbz%ODij;z(!*qcp`*8`4ZyJ(F2WSfRGIb@VT`?a6
zt1|Zkg8&LUb)mevsp*NNi$YAfs8xW<t;4@f^J-&rC&Y&z;&54ckZ3*5cy@2$Y{M`g
z`0+9Z2wW+`xDkN#khG1nXc}Hyr+@6T452&P;Fk)rspBZfAh+1bg+8tY_(vpa+@Y(|
zTfk!1nr)TE1|*q^fF8n={E&{sU-cx_B9iJgqT36LutCP;CzvK`=S~SzWQDUH_WPU+
zAQW50HuzexzbjW;F0fA;4HI2&Ao`4{LJ;?#*=FqwJ5KTZ4?R79`c6diP=1U1CmZ7L
zF+~1$zv0(`Y}SEZrpvhvCQ<EMk7zWspNBR5%BjHu=f9wY9q%s6Tb2qCB{a|BIcAPl
zmDcTn0R*Ir@+-$6M(a_EE#bk8c4}^iKs*b}wgDfT+oFI$Z4p7MrIwUb7`@o5G|TNT
zA-`>Zq9_uka7i%Z0f7gOa<a1_8^404JTU~7sE`Z#At56%9a>(l^y=*=!Lt1{T~h53
zInjFdRjd}OV}cIA?%5G>Z$F1IVERB+10gvkDv<?fUX)7e!@DX&4((Hx`irUS@X4m$
zSDPTm;c*pD8Cdwg*L1WNy&Tiqy&<gI1nkx(nnXJ?JUMes*LN$zZ{$Wug1hmvb!`hN
z5Wc8+D@Z~oFU=Kix8%}%lqz9d8A*5~Fk{o@)My;bmE3G?T$a;@KC;Arv&jg2AVOVh
zeY~5A>Mz3S*>fVKj3Do!JN66CoZAWIaFrl9v}ZyQWt+49R25d1-JHHj+;%k@X&6=g
zTB>|F$VQu6hmVK%+mig=b&E#6Ip6t!=Qj8Mxl5ok*_TFLB1Pbl$P^{h<Jg$n(SI3P
z-7}XAV3zlX<+M0@5{D0->^W(^f)eO5oMQaO6L^k&a_}Q2MW}@RY*~$&hvYfAUU$Rx
zf;_Z(^dFLOck_sPz+&m~_uBZAG3o<I%>rs#kvI%8+(Q4I?FjC4F@dg~rgUcf6S~9F
z9(_y0Og2|&c_SpwcWg2)g<TT5!UUc!bMyT^*HsR&v}Yn%0W1yPiwVIbvx6M#F*vN$
zR?uDo!{MuzmEPrJ&H=FYL8HGq-!7XGNLY>rz{gIdV^VhRhse@FG(jU(aKnI?96f$Y
zS)5{lTAslO6pn-wN!s4QH$K;Wp{L^)Y^jLu9llms#mBDeJOsM$3<D4P-#b9Dgy}w$
z9MMZkx@40VoFjIEtd}7wS4NlH0XCh{7?3?rXPv2r0hp6ftz{&99|xg27$IBcYbxea
zE7L$bgOqM?=??x~yaTySw3B_9>B_qVp^@e9dZF&a>wvUpi@of-t^o`(Ncyx#TF{xU
zFsmR96e>r;b8X~z8E+)@b&W051yrqQ#C8q2R^xR{7K~2lsf<Xab`{+00){}q@TN>Q
zxjKbD?wTJcg?KRmSyP1){X#Q;(jZ;kE8`|4W<j^VThK`ih&)DQNF~2(`i}LnCUw7P
zG%8vkp5y2D5)kycs20K%8r;!w(NeJQn~|N9KB0h1^CgLrkch3OG36w6iks;{K;@A(
zEsJ0#W3vojd`Oe8dy_%%3U||0<U5#g6lM2MbZ}5#J0j4Qf1aS4+#;j-I!|7VffVp*
zU|A*n+axoWI;qQvd-9$8%nTmXJJ6HqtJjyoOjRPgmKQ&e#izNG#n@@(Q2n+^%x*X^
zty>SXpngK)*xZ~iYd|cMgj<<8RfF6(dK~JmgZT)C5D?}TJBVTDoJWctVL|@vJUM$`
z1mSp`juk*69)bLSOfw`4PYJ@iul70hXgGPFguz<oQfY=%qfRzWV!sozSA`>&@bC^E
zjXF?JciTq4MSk<<g@!BZ&P#cqNhVRpasYRAh&a2bI{!))(zoCKe0U#v9>D;-@i=an
zH@6H;+Upk=n~$`;(^Q}i7zQ&ws|B*;p<af!mh=ZOiy0x*WCXVg##0jS5%Hlp62Zod
zTvOm*5rfsRr7TOW2<JHc@0Y-Bhc{CR0mFj&*sbH~z$b@5V|xIhBgRRWjo|@cGZS<6
zui1Nt!1t(}ffZ8k^C2Z945QNtHcjnk$=or}VrnD7Bb#6X>(h3iE-+a1>AJ97y<#<g
z;)?y!U8#ncQyb1@vVyPV%`K^jC@dn9&X5F4{pg#IF-%|H4HD4xP}mYC<#pr8VCba>
zQ?B)Li|pKA>!!{JNR-BBQ4>`;q?i7iSnE~W>2KC8-qQaY7+DyIW6w*L9BGU!0B$%<
z@DE?9zJ$n%fkRjqW{AreqUz*#E0}FLUCex6{EufX^SR?71_b3&_<`{M^`(E2xQ+f(
z<x*EkkuuOqFU~0-M(Y}M^r3oBt;vlJTqpz6-V{T{R%0T~-buZxvd>;yJNon9073Qx
zd!}}`DT*|3Voz3YC8icW=ltaa*o&v#vi>Yy#1>g}`nPftsq&d&bVeuAjT!h1spKl(
z;Y`R))OaPA9_h!3M~_NHq^lwYwiSzC!2*XjyxM7(I}jy>xeP=Uof~7+hvPs3lV}M7
z3s10xq2O<X94ibg3p2Zi0=xyS6%LK~t}`{H7I7xFub2F!VX=jjgD!+w5fUe9g;Kgp
z3GT|Hp`twljIT1r3B~5qVL-Qmp)L>jRG?LfqM9)!Fe3&DDuzgg_YDCF6)_eB6u|?x
z6Cx|aZ@(C)=e31t!hKSr3NSG+AutIB1uG5%0vZJX1Qdy85~ufG97a}O7z;%xFch3+
Tn{osQX`OM<Y=+sx0s;sCUmf(L


From 6e71fbc71caf9bf73bae3827eb0c82cc9d8b40ac Mon Sep 17 00:00:00 2001
From: Mac L <mjladson@pm.me>
Date: Mon, 9 Feb 2026 16:36:12 +1100
Subject: [PATCH 3/3] Add openssl to deny.toml

---
 deny.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deny.toml b/deny.toml
index 04f2ed30ad4..e6c30f6a486 100644
--- a/deny.toml
+++ b/deny.toml
@@ -10,6 +10,7 @@ deny = [
     { crate = "protobuf", reason = "use quick-protobuf instead" },
     { crate = "derivative", reason = "use educe or derive_more instead" },
     { crate = "ark-ff", reason = "present in Cargo.lock but not needed by Lighthouse" },
+    { crate = "openssl", reason = "non-Rust dependency, use rustls instead" },
     { crate = "strum", deny-multiple-versions = true, reason = "takes a long time to compile" },
     { crate = "reqwest", deny-multiple-versions = true, reason = "takes a long time to compile" },
     { crate = "aes", deny-multiple-versions = true, reason = "takes a long time to compile" },