End-of-Life dates of Node.js 16 and OpenSSL 1.1.1 do not align

[richardlau]

When we drafted the Node.js 16 section of the OpenSSL strategy document (#859) the expectation was that OpenSSL 3 would be released before or around Node.js 16. This didn't happen and we had to release Node.js 16 still on OpenSSL 1.1.1.

Unfortunately OpenSSL 1.1.1 is due to stop receiving updates in September 2023 which is seven months before Node.js 16's End-of-Life date of April 2024.
https://www.openssl.org/policies/releasestrat.html

• Version 1.1.1 will be supported until 2023-09-11 (LTS).

We need to make a decision regarding what to do about this discrepancy. Our options include:

1. Do nothing. Node.js 16 will be at risk for any vulnerabilities in OpenSSL 1.1.1 for the last seven months of its lifetime.
2. End support for Node.js 16 early in September 2023 to coincide with EOL of OpenSSL 1.1.1. We have precedent for doing this when we ended support for Node.js 8 four months early to coincide with the EOL of OpenSSL 1.0.2. If we decide to do this we need to communicate this as early as possible.
3. Attempt a switch to OpenSSL 3. We would probably need to at least backport and enable by default the legacy provider. I would consider this extremely risky with concerns over, e.g. ABI compatibility for addons (Native modules ABI compatibility problems on Node 17 with OpenSSL 3 / OpenSSL 1 node#41410, node/openssl/ssl.h should compile without any additional defines node#40575). We've had to adjust error message checks in several Node.js tests for OpenSSL 3 and I have no idea if any modules out there would be affected in the same way.

* Node.js 16 is actually using the quictls fork of OpenSSL 1.1.1. I see nothing to suggest that they would continue to provide support for OpenSSL 1.1.1 beyond upstream OpenSSL's planned end of support date.

cc @nodejs/crypto @nodejs/lts @nodejs/tsc

[richardlau]

If I had to express a personal preference right now I would lean towards bringing forward the End-of-Life date of Node.js 16 to September 2023. At that point in time Node.js 18 would be in active LTS (transitioning into maintenance in October 2023).

[panva]

If I had to express a personal preference right now I would lean towards bringing forward the End-of-Life date of Node.js 16 to September 2023. At that point in time Node.js 18 would be in active LTS (transitioning into maintenance in October 2023).

I concur.

[mcollina]

I concur.

[ChALkeR]

I also concur.
I believe that there is enough time for ecosystem / users to adjust to this change in advance and that the alternatives pose more risks.

[tniessen]

I believe this was discussed before and at that point, if I remember correctly, the solution that seemed most likely was switching to OpenSSL 3 even if it is a breaking change. That does seem risky though, and it might be simpler to cut support for Node.js 16 off earlier as planned.

[Trott]

I think we should end support early and announce it as soon as possible (and update the chart in the release repository and so on). That also gives us more runway to change our minds.

[mhdawson]

My initial thought is end support early as well, announcing as soon as we have agreement on the approach.

[cjihrig]

+1 to ending support early.

[danielleadams]

+1 to ending support early, as well (and announcing as soon as possible).

[RaisinTen]

I'm okay with ending support early.

[richardlau]

@mhdawson and I are currently exploring whether we can use Red Hat work to support OpenSSL 1.1.1 in RHEL 8 to potentially keep the existing End-of-Life date of Node.js 16 (April 2024).