todo: update to openssl 1.1.1e on March 17th

[sam-github]

https://mta.openssl.org/pipermail/openssl-announce/2020-March/000166.html announced an upcoming OpenSSL release.

I normally do these, but if any other collaborator would like to get involved in the TLS maintenance, this is a good place to start.

The maintenance guide is pretty clear, but is moving, check the PR: #32209

If there is someone who would like to do this, please comment here, and I'll be available to help if needed. If not, I'll do it.

EDIT: and note that we are currently floating a patch, but that won't be necessary after this upcoming update:

On 11/03/2020 17:42, Sam Roberts wrote:
> Will it include ONLY the CVE fix, or will it include other fixes, such
> as to the getrandom() call on some archs?

It will include all fixes currently in the 1.1.1-dev branch including
commit eee565ec4 which is the 1.1.1 equivalent of the commit you mention.

Matt

[hassaanp]

Hey, I would like to help.

I am currently running Ubuntu 18.04, but I can quickly spin off a Docker for CentOS7.1 or Ubuntu 16.04 for this.

[hassaanp]

Update:
I have set up the required environment. OpenSSL 1.1.1e will be available at UTC 1300 on March 17th. As soon as it comes up, I will download, test and submit the PR.

[sam-github]

I am currently running Ubuntu 18.04, but I can quickly spin off a Docker for CentOS7.1 or Ubuntu 16.04 for this.

@hassaanp what gives you the impression ubuntu 18.04 isn't perfectly adequate? I'm a bit concerned, is there something in the docs that suggests that?

I run Ubuntu 19.10 myself, ATM, but it shouldn't matter.

You can, btw, do a dry run right now, running through the steps, but using the 1.1.1d archive. Nothing will change, and obviously you won't PR the result, but you'll get a chance to see how the config process works.

[hassaanp]

I will do the dry run as per your recommendation.

In the requirements it is mentioned that only Centos 7.1 and Ubuntu 16 are tested. I assumed that is the general recommendation.

[sam-github]

Thanks, I just fixed that in #32209

[hassaanp]

I have successfully done a test run - the new version should be out in the next 6 hours.

[hassaanp]

The update is still not available. Will recheck in an hour

[hassaanp]

New version does not build cleanly.

This is the error output when I run make in the deps/openssl/config directory

usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
    "-oMakefile" include/crypto/bn_conf.h.in > include/crypto/bn_conf.h
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
    "-oMakefile" include/crypto/dso_conf.h.in > include/crypto/dso_conf.h
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
    "-oMakefile" include/openssl/opensslconf.h.in > include/openssl/opensslconf.h
/usr/bin/perl util/mkbuildinf.pl "gcc -pthread -Wa,--noexecstack -O -DB_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DNDEBUG" "aix-gcc" > crypto/buildinf.h
/usr/bin/perl apps/progs.pl apps/openssl > apps/progs.h
make[1]: Leaving directory '/home/hassaan/Study/node/deps/openssl/openssl'
Move failed: No such file or directory at ./generate_gypi.pl line 65.
Makefile:50: recipe for target 'aix-gcc' failed
make: *** [aix-gcc] Error 2

The generate_gypi.pl is there where it should be. Any idea what could be wrong?

[sam-github]

I will look.

[sam-github]

There is no openssl-1.1.1e: https://www.openssl.org/source/

I'm not clear what you were doing when you encountered the above.

[hassaanp]

strange, I was able to pull in using
wget https://www.openssl.org/source/openssl-1.1.1e.tar.gz