diff --git a/.gitignore b/.gitignore
index 5f81814..bd7832a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,9 @@
 /cryptography-3.4.1.tar.gz.asc
 /cryptography-3.4.2.tar.gz
 /cryptography-3.4.2.tar.gz.asc
+/cryptography-3.4.4.tar.gz
+/cryptography-3.4.4.tar.gz.asc
+/cryptography-3.4.5.tar.gz
+/cryptography-3.4.5.tar.gz.asc
+/cryptography-3.4.6.tar.gz
+/cryptography-3.4.6.tar.gz.asc
diff --git a/README.md b/README.md
index c100762..d673048 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,6 @@ fedpkg new-sources cryptography_vectors-3.4.tar.gz
 Commit changes
 
 ```shell
-git add sources .gitignore python-cryptography-vectors.spec
 fedpkg commit --clog
 fedpkg push
 ```
@@ -86,7 +85,6 @@ fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc
 Commit changes
 
 ```shell
-git add sources .gitignore python-cryptography.spec
 fedpkg commit --clog
 fedpkg push
 ```
diff --git a/conftest-skipper.py b/conftest-skipper.py
new file mode 100644
index 0000000..5a1de83
--- /dev/null
+++ b/conftest-skipper.py
@@ -0,0 +1,22 @@
+
+class Skipper:
+    """Skip iso8601 and pretend tests
+
+    RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
+    all tests that use the excluded modules.
+    """
+
+    def parse_date(self, datestring):
+        pytest.skip(f"iso8601 module is not available.")
+
+    def stub(self, **kwargs):
+        pytest.skip(f"pretend module is not available.")
+
+    def raiser(self, exc):
+        pytest.skip(f"pretend module is not available.")
+
+
+import sys
+
+sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
+
diff --git a/python-cryptography.spec b/python-cryptography.spec
index 51d1de8..e4f3235 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -6,7 +6,7 @@
 %global pyo3_version 0.13.1
 
 Name:           python-%{srcname}
-Version:        3.4.2
+Version:        3.4.6
 Release:        1%{?dist}
 Summary:        PyCA's cryptography library
 
@@ -19,11 +19,20 @@ Source1:        %{pypi_source}.asc
 # gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98"
 # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
+%if 0%{?rhel}
+                # created by ./vendor_rust.py helper script
+Source3:        cryptography-%{version}-vendor.tar.bz2
+Source4:        conftest-skipper.py
+%endif
 
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
+%if 0%{?fedora}
 BuildRequires:  rust-packaging
+%else
+BuildRequires:  rust-toolset
+%endif
 
 BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
 BuildRequires:  python%{python3_pkgversion}-devel
@@ -33,12 +42,14 @@ BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
 
 %if %{with tests}
 BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
+%if 0%{?fedora}
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
 BuildRequires:  python%{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-pretend
+BuildRequires:  python%{python3_pkgversion}-pytest-xdist
+%endif
 BuildRequires:  python%{python3_pkgversion}-pytest >= 6.0
 BuildRequires:  python%{python3_pkgversion}-pytest-subtests >= 0.3.2
-BuildRequires:  python%{python3_pkgversion}-pytest-xdist
 BuildRequires:  python%{python3_pkgversion}-pytz
 %endif
 
@@ -61,13 +72,20 @@ recipes to Python developers.
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1 -n %{srcname}-%{version}
-%cargo_prep
-rm -f src/rust/Cargo.lock
 
 %generate_buildrequires
+
+%if 0%{?fedora}
+# Fedora: use cargo macros to make use of RPMified crates
+%cargo_prep
 cd src/rust
+rm -f Cargo.lock
 %cargo_generate_buildrequires
 cd ../..
+%else
+# RHEL: use vendored Rust crates
+%cargo_prep -V 3
+%endif
 
 %build
 %py3_build
@@ -80,6 +98,13 @@ find . -name .keep -print -delete
 
 %check
 %if %{with tests}
+%if 0%{?rhel}
+# skip hypothesis tests on RHEL
+rm -rf tests/hypothesis
+# append skipper to skip iso8601 and pretend tests
+cat < %{SOURCE4} >> tests/conftest.py
+%endif
+
 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
 PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
@@ -92,6 +117,21 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 
 %changelog
+* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
+- Update to 3.4.6 (#1927044)
+
+* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
+- Update to 3.4.5 (#1927044)
+
+* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
+- Skip iso8601 and pretend tests on RHEL
+
+* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
+- Provide RHEL build infrastructure
+
+* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
+- Update to 3.4.4 (#1927044)
+
 * Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
 - Update to 3.4.2 (#1926339)
 - Package no longer depends on Rust (#1926181)
diff --git a/sources b/sources
index 00d5b88..da81927 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (cryptography-3.4.2.tar.gz) = 8fa9fad24d55d3ff129d4ebf0837cd267bbd180429cda09e60730e67fb18e6af7ff4630989b18ab31ffc85046259eba546ad63388fd6e252bfbc850e7cbc62fc
-SHA512 (cryptography-3.4.2.tar.gz.asc) = ae8ef10065db06d58879a3eb553f0d0c430f28da9a48789f09410cee694409c715972a3506c5bd3c8519125df412805b547e1109d9d3867d79858578e3082098
+SHA512 (cryptography-3.4.6.tar.gz) = 30b712adc5cc114faeb7bfef0b9de88c6daefa5a8b99e53bd6d37b8ed560bd1d396cbb202902c307b90f40d695bde151164436bf233fb726dc836c8b70126653
+SHA512 (cryptography-3.4.6.tar.gz.asc) = 91e8c5f5e9e0d440d0882f0bf2f5f039b299c88f03f52d4060f0ee2a18d46ca6503d77444196db91b8d29c7b302b238461795d252777f9bc2953c52789df9fad
diff --git a/vendor_rust.py b/vendor_rust.py
new file mode 100755
index 0000000..cd8355e
--- /dev/null
+++ b/vendor_rust.py
@@ -0,0 +1,112 @@
+#!/usr/bin/python3
+"""Vendor PyCA cryptography's Rust crates
+"""
+import argparse
+import os
+import re
+import tarfile
+import tempfile
+import shutil
+import subprocess
+import sys
+
+VENDOR_DIR = "vendor"
+CARGO_TOML = "src/rust/Cargo.toml"
+RE_VERSION = re.compile("Version:\s*(.*)")
+
+parser = argparse.ArgumentParser(description="Vendor Rust packages")
+parser.add_argument(
+    "--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
+)
+
+
+def cargo(cmd, manifest):
+    args = ["cargo", cmd, f"--manifest-path={manifest}"]
+    return subprocess.check_call(
+        args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
+    )
+
+
+def tar_reset(tarinfo):
+    """Reset user, group, mtime, and mode to create reproducible tar"""
+    tarinfo.uid = 0
+    tarinfo.gid = 0
+    tarinfo.uname = "root"
+    tarinfo.gname = "root"
+    tarinfo.mtime = 0
+    if tarinfo.type == tarfile.DIRTYPE:
+        tarinfo.mode = 0o755
+    else:
+        tarinfo.mode = 0o644
+    if tarinfo.pax_headers:
+        raise ValueError(tarinfo.name, tarinfo.pax_headers)
+    return tarinfo
+
+
+def tar_reproducible(tar, basedir):
+    """Create reproducible tar file"""
+
+    content = [basedir]
+    for root, dirs, files in os.walk(basedir):
+        for directory in dirs:
+            content.append(os.path.join(root, directory))
+        for filename in files:
+            content.append(os.path.join(root, filename))
+    content.sort()
+
+    for fn in content:
+        tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
+
+
+def main():
+    args = parser.parse_args()
+    spec = args.spec
+
+    # change cwd to work in bundle directory
+    here = os.path.dirname(os.path.abspath(spec))
+    os.chdir(here)
+
+    # extract version number from bundle name
+    with open(spec) as f:
+        for line in f:
+            mo = RE_VERSION.search(line)
+            if mo is not None:
+                version = mo.group(1)
+                break
+        else:
+            raise ValueError(f"Cannot find version in {spec}")
+
+    bundle_file = f"cryptography-{version}.tar.gz"
+    vendor_file = f"cryptography-{version}-vendor.tar.bz2"
+
+    # remove existing vendor directory and file
+    if os.path.isdir(VENDOR_DIR):
+        shutil.rmtree(VENDOR_DIR)
+    try:
+        os.unlink(vendor_file)
+    except FileNotFoundError:
+        pass
+
+    print(f"Getting crates for {bundle_file}", file=sys.stderr)
+
+    # extract tar file in tempdir
+    # fetch and vendor Rust crates
+    with tempfile.TemporaryDirectory(dir=here) as tmp:
+        with tarfile.open(bundle_file) as tar:
+            tar.extractall(path=tmp)
+        manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
+        cargo("fetch", manifest)
+        cargo("vendor", manifest)
+
+    print("\nCreating tar ball...", file=sys.stderr)
+    with tarfile.open(vendor_file, "x:bz2") as tar:
+        tar_reproducible(tar, VENDOR_DIR)
+
+    # remove vendor dir
+    shutil.rmtree(VENDOR_DIR)
+
+    parser.exit(0, f"Created {vendor_file}\n")
+
+
+if __name__ == "__main__":
+    main()