[Tracking Issue] OpenSSL 3

[jasnell]

Hey @nodejs/crypto (and in particular @sam-github). For the QUIC implementation, for a variety of reasons, it's going to better for us to be able to move up to OpenSSL 3 as soon as possible. Yes, I know it hasn't been released yet. I wanted to check in to see if anyone has started the exploration of 3.0 yet, and if so, what the issues so far have been.

For QUIC, the reason we need it is because the BoringSSL QUIC APIs are being ported to OpenSSL 3.0. Once those are available, our implementation will be greatly simplified by being able to take advantage of the ngtcp2_crypto helper library. As it stands right now, we have to overlay and support a patch on OpenSSL 1.1.1 for it to work.

[sam-github]

Its been on my list of things to look at, because FIPS will require OpenSSL 3.x, but I haven't had the time to try a build yet.

OpenSSL 3.x is intended to be API compatible with OpenSSL 1.1.1 -- though NOT ABI compatible, but the proof of that will be in the build and testing.

[jasnell]

Ok, I'll see if I can at least do a preliminary check on it in the coming few weeks. Let's leave this issue open as a tracking issue for it.

[sam-github]

OpenSSL policy is to not release new features in patch releases, so OpenSSL 1.1.1 is feature frozen.

However, OpenSSL also decided not to have a new 1.1.x release.

So, QUIC support will only be possible on OpenSSL 3.x, or on our internal OpenSSL 1.1.1 with overlay patches. I'm not sure what to do about that.

Once we have QUIC and HTTP/3 support it might be worth bringing this up with OpenSSL, because no OpenSSL 1.1.1 ABI compatible release will ever support HTTP/3. That might become an issue important enough for them to do an OpenSSL 1.1.2 (or 1.2.0).

At this point, given lack of adoption or support for HTTP/3, I think its a bit early to try to get them to do a new release.

[jasnell]

@nodejs/crypto @nodejs/tsc ... just a heads up.. the OpenSSL OMC has announced the first alpha of OpenSSL 3: https://www.openssl.org/blog/blog/2020/04/23/OpenSSL3.0Alpha1/

[jasnell]

@sam-github ... I've been thinking that it would be a good idea to set up an openssl-canary branch where we can start working with compiling openssl 3 into nodejs master to work out any issues that may exist. Wanted to coordinate with you on that before moving forward tho.

[sam-github]

Sure, so a branch like update-openssl-3.x pushed to github.com/nodejs/node, so it can be worked on cooperatively? Sounds good to me.

FYI, my first experience posted here, https://mta.openssl.org/pipermail/openssl-users/2020-April/012312.html (repeated below), but I used the configure flags to point to an out-of-tree openssl in order to do those tests.

In terms of dep update, the deps/openssl/conf scripts failed when openssl was replaced with openssl 3. How much it will take to make them work I have not looked at.

---

Fwiw, took a quick run at building and testing Node.js against the 3.x beta.

It was API compatible enough to build. The DH_, ECDH_, HMAC_, etc.
deprecations make sense, will look at those.

My assumption is that EVP versions of these exist in openssl 1.1.1,
and that if we switch our openssl 1.1.1 code to using the EVP APIs,
that that cod will then work unchanged when we update to openssl 3.x?

ERR_func_error_string, what is its replacement? I didn't see it
mentioned in the wiki, but its marked deprecated.

Tests didn't go so well. Minor changes in error strings are to be
expected, but more than that changed.

I haven't looked at these yet other than scan the output, we might be
relying on internals, but just for anyone curious, here's the test
output:

https://gist.github.com/sam-github/5a3b3775029efb3d31109d7e6e390f85

[sam-github]

nodejs/TSC#859

[danbev]

I've started to take a look at this and I've pushed the following branch:
https://github.com/nodejs/node/tree/update-openssl-3.x

I'm currently building this locally against OpenSSL 3.0 Alpha 3 as I ran into an issue with our snapshot building with Alpha 4 (I'll investigate that further once I got all the tests to pass). There are two tests that are failing at the moment which are a little more involved than just error message/code changes but I'm looking into them now.

I'm using the following configuration options to build:

$ ./configure --shared-openssl --shared-openssl-libpath=/work/security/openssl_build_master/lib --shared-openssl-includes=/work/security/openssl_build_master/include --shared-openssl-libname=crypto,ssl --debug