diff --git a/python-cryptography.spec b/python-cryptography.spec
index 5b080f1..527d6ae 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -7,7 +7,7 @@
 
 Name:           python-%{srcname}
 Version:        3.4.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        PyCA's cryptography library
 
 License:        ASL 2.0 or BSD
@@ -19,11 +19,19 @@ Source1:        %{pypi_source}.asc
 # gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98"
 # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
+%if 0%{?rhel}
+                # created by ./vendor_rust.py helper script
+Source3:        cryptography-%{version}-vendor.tar.bz2
+%endif
 
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
+%if 0%{?fedora}
 BuildRequires:  rust-packaging
+%else
+BuildRequires:  rust-toolset
+%endif
 
 BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
 BuildRequires:  python%{python3_pkgversion}-devel
@@ -33,12 +41,14 @@ BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
 
 %if %{with tests}
 BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
+%if 0%{?fedora}
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
+BuildRequires:  python%{python3_pkgversion}-pytest-xdist
+%endif
 BuildRequires:  python%{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-pretend
 BuildRequires:  python%{python3_pkgversion}-pytest >= 6.0
 BuildRequires:  python%{python3_pkgversion}-pytest-subtests >= 0.3.2
-BuildRequires:  python%{python3_pkgversion}-pytest-xdist
 BuildRequires:  python%{python3_pkgversion}-pytz
 %endif
 
@@ -61,13 +71,20 @@ recipes to Python developers.
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1 -n %{srcname}-%{version}
-%cargo_prep
-rm -f src/rust/Cargo.lock
 
 %generate_buildrequires
+
+%if 0%{?fedora}
+# Fedora: use cargo macros to make use of RPMified crates
+%cargo_prep
 cd src/rust
+rm -f Cargo.lock
 %cargo_generate_buildrequires
 cd ../..
+%else
+# RHEL: use vendored Rust crates
+%cargo_prep -V 3
+%endif
 
 %build
 %py3_build
@@ -80,6 +97,11 @@ find . -name .keep -print -delete
 
 %check
 %if %{with tests}
+%if 0%{?rhel}
+# skip hypothesis tests on RHEL
+rm -rf tests/hypothesis
+%endif
+
 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
 PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
@@ -92,6 +114,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 
 %changelog
+* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
+- Provide RHEL build infrastructure
+
 * Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
 - Update to 3.4.4 (#1927044)
 
diff --git a/vendor_rust.py b/vendor_rust.py
new file mode 100755
index 0000000..4e25214
--- /dev/null
+++ b/vendor_rust.py
@@ -0,0 +1,82 @@
+#!/usr/bin/python3
+"""Vendor PyCA cryptography's Rust crates
+"""
+import argparse
+import glob
+import os
+import re
+import tarfile
+import tempfile
+import shutil
+import subprocess
+import sys
+
+VENDOR_DIR = "vendor"
+CARGO_TOML = "src/rust/Cargo.toml"
+RE_VERSION = re.compile("Version:\s*(.*)")
+
+parser = argparse.ArgumentParser(description="Vendor Rust packages")
+parser.add_argument(
+    "--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
+)
+
+
+def cargo(cmd, manifest):
+    args = ["cargo", cmd, f"--manifest-path={manifest}"]
+    return subprocess.check_call(
+        args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
+    )
+
+
+def main():
+    args = parser.parse_args()
+    spec = args.spec
+
+    # change cwd to work in bundle directory
+    here = os.path.dirname(os.path.abspath(spec))
+    os.chdir(here)
+
+    # extract version number from bundle name
+    with open(spec) as f:
+        for line in f:
+            mo = RE_VERSION.search(line)
+            if mo is not None:
+                version = mo.group(1)
+                break
+        else:
+            raise ValueError(f"Cannot find version in {spec}")
+
+    bundle_file = f"cryptography-{version}.tar.gz"
+    vendor_file = f"cryptography-{version}-vendor.tar.bz2"
+
+    # remove existing vendor directory and file
+    if os.path.isdir(VENDOR_DIR):
+        shutil.rmtree(VENDOR_DIR)
+    try:
+        os.unlink(vendor_file)
+    except FileNotFoundError:
+        pass
+
+    print(f"Getting crates for {bundle_file}", file=sys.stderr)
+
+    # extract tar file in tempdir
+    # fetch and vendor Rust crates
+    with tempfile.TemporaryDirectory(dir=here) as tmp:
+        with tarfile.open(bundle_file) as tar:
+            tar.extractall(path=tmp)
+        manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
+        cargo("fetch", manifest)
+        cargo("vendor", manifest)
+
+    print("\nCreating tar ball...", file=sys.stderr)
+    with tarfile.open(vendor_file, "x:bz2") as tar:
+        tar.add(VENDOR_DIR)
+
+    # remove vendor dir
+    shutil.rmtree(VENDOR_DIR)
+
+    parser.exit(0, f"Created {vendor_file}\n")
+
+
+if __name__ == "__main__":
+    main()