@@ -107,7 +107,7 @@ For Node.js >= 11.9.0:
107107* FIPS: not supported
108108
109109
110- ### Node.js version master, 12.x (release expected April-2019, EOL April-2022)
110+ ### Node.js version 12.x, 13.x, 14.x
111111
112112* OpenSSL version: 1.1.1
113113* Allowed shared OpenSSL version: 1.1.1
@@ -117,12 +117,59 @@ For Node.js >= 11.9.0:
117117* FIPS: not supported
118118
119119
120- ### Node.js version 13.x
120+ Node.js EOL dates:
121+ - 12.x: April 2022
122+ - 13.x: June, 2020
123+ - 14.x: April 2023
121124
122- It's too early to discuss in detail, but this is the first version that may
123- possibly support OpenSSL 3.0.0, and OpenSSL 3.0.0 is the next version of OpenSSL
124- that is planned to support FIPS. See [ OpenSSL 3.0.0 and FIPS] [ ] .
125+ ## Node.js version 15.x (est. Oct 2020) (EOL Jun 2021)
125126
127+ * OpenSSL version: 1.1.1
128+ * Allowed shared OpenSSL version: 1.1.1
129+ * Default minimum TLS version is TLSv1.2, default maximum is TLSv1.3. TLSv1
130+ and TLSv1.1 are * not* supported by default, only by explicit run-time
131+ configuration.
132+ * FIPS: not supported
133+
134+ Note: OpenSSL 3.0.0 is NOT expected until Q4 2020, so unless they are _ early_
135+ it won't happen in time for 15.x. Its possible that over the support time
136+ of 15.x (which is only about 8 months), that experimental support for OpenSSL
137+ 3.x will be backported to it.
138+
139+ ## Node.js version 16.x (est Apr 2021) (EOL Apr 2024)
140+
141+ * OpenSSL version: 3.x (because of OpenSSL EOL)
142+ * Allowed shared OpenSSL version: 1.1.1 (proposed...)
143+ * Default minimum TLS version is TLSv1.2, default maximum is TLSv1.3. TLSv1
144+ and TLSv1.1 are * not* supported by default, only by explicit run-time
145+ configuration.
146+ * FIPS: unpredictable, see below
147+
148+ OpenSSL 1.1.1 goes EOL on 2023-09-11, which is before 16.x will go EOL, so is
149+ not an appropriate choice for 16.x
150+
151+ OpenSSL 3.x may have FIPS support by release date of Node.js 16.x, or it may
152+ not. If it does not, since its a provider, it may be possible to support in
153+ a ` semver-minor ` (ABI, API, and behavioural compatible) update to 16.x.
154+
155+ For minimal disruption, it would probably be helpful if Node.js supported
156+ building against OpenSSL 1.1.1 out-of-tree, even if OpenSSL 3.x was in-tree.
157+
158+ Challenges are:
159+ 1 . OpenSSL 3.x moved many algorithms into a legacy library, that is only
160+ accessible as a dynamically loaded provider, so cannot ship with Node.js
161+ 2 . Node.js has a build system wrapped around OpenSSL 1.1.1, it is currently
162+ incompatible with the OpenSSL 3.x build system (effort to fix this is
163+ unknown).
164+ 3 . OpenSSL 3.x has compile-time warning-deprecated a number of OpenSSL 1.1.1
165+ APIs, but the alternatives to those deprecated APIs do not exist in OpenSSL
166+ 1.1.1. So, Node.js 16.x either needs to ship calling deprecated APIs, or
167+ break compatibility with OpenSSL 1.1.1 (so it will _ only build with 3.x_ ).
168+ 4 . Behavioural differences in OpenSSL 3.x currently fail many tests in the
169+ Node.js master test suite (effort to fix this is unknown, impact of fixing
170+ in terms of compatibility is unknown).
171+
172+ Tracking issue: https://github.com/nodejs/node/issues/29817
126173
127174## Background
128175
@@ -184,6 +231,8 @@ Currently, there are three supported versions of OpenSSL as per the
184231* Version 1.0.2: supported until 2019-12-31, designated Long-term Support (LTS)
185232* Version 1.1.0: supported until 2019-09-11, not a LTS release line
186233* Version 1.1.1: supported until 2023-09-11, designated Long-term Support (LTS)
234+ * Version 3.0.0: first release: Q4 2020 (estimated), designation as LTS:
235+ * unknown*
187236
188237### OpenSSL 1.0.2 and FIPS
189238
0 commit comments