Skip to content

build,deps,tools: prepare to update to OpenSSL 3.5 #58100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

build,deps,tools: prepare to update to OpenSSL 3.5 #58100

wants to merge 2 commits into from

Conversation

richardlau
Copy link
Member

Note that this PR does not do the actual upgrade -- that should be handled by running the workflow after this lands.

This co-depends on #58099, which needs to land before the updater script is run (it shouldn't matter in which order they land, but both that PR and this one are needed for the files in deps/openssl/config to be regenerated).

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/gyp
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. tools Issues and PRs related to the tools directory. labels May 1, 2025
This was referenced May 1, 2025
Closed
Open
richardlau and others added 2 commits May 1, 2025 17:57
@richardlau
test: prepare test-crypto-rsa-dsa for newer OpenSSL
cc6a21c 
Update `parallel/test-crypto-rsa-dsa` to prepare for updating
`deps/openssl` to later versions of OpenSSL which support implicit
rejections with `RSA_PKCS1_PADDING`.
@targos @richardlau
build,deps,tools: prepare to update to OpenSSL 3.5
6abfd51 
Update the updater script and files under `deps/openssl/config` in
preparation for updating `deps/openssl` to OpenSSL 3.5.

Co-Authored-By: Richard Lau <rlau@redhat.com>
@richardlau richardlau force-pushed the prepare-for-openssl-3.5 branch from f44bef3 to 6abfd51 Compare May 1, 2025 17:59
@richardlau richardlau mentioned this pull request May 1, 2025
Open
@aduh95
Copy link
Contributor

aduh95 commented May 1, 2025
edited
Loading

Can we backport this to LTS? Should we add the lts-watch labels?

@richardlau richardlau added lts-watch-v20.x PRs that may need to be released in v20.x lts-watch-v22.x PRs that may need to be released in v22.x and removed lts-watch-v20.x PRs that may need to be released in v20.x labels May 1, 2025
@richardlau
Copy link
Member Author

Can we backport this to LTS? Should we add the lts-watch labels?

I've stuck a watch label for Node.js 22 as we have to update that at some point because OpenSSL 3.0 reaches End-of-Life in September 2026 which is before the End-of-Life of Node.js 22 (end of April 2027).

For Node.js 20 we could stay on OpenSSL 3.0 as Node.js 20 will reach End-of-Life at the end of April 2026 which is prior to End-of-Life of OpenSSL 3.0. But we can have a separate discussion about how we would manage updates of OpenSSL across all of our LTS versions.

@codecov Codecov
Copy link

codecov bot commented May 1, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.21%. Comparing base (2b4f554) to head (6abfd51).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #58100   +/-   ##
=======================================
  Coverage   90.20%   90.21%           
=======================================
  Files         630      630           
  Lines      186446   186446           
  Branches    36619    36624    +5     
=======================================
+ Hits       168190   168196    +6     
+ Misses      11053    11047    -6     
  Partials     7203     7203

see 34 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label May 1, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label May 1, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/66530/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/66532/

@richardlau richardlau marked this pull request as draft May 2, 2025 02:35
@richardlau
Copy link
Member Author

Moving this to draft. I ran a CI on https://github.com/richardlau/node-1/tree/openssl-3.5 (from which the commits in this PR are based) and that has failed to build on Windows: https://ci.nodejs.org/job/node-test-commit/79522/

I suspect we'll need to add even more entries into deps/openssl/config/Makefile_VC-WIN* for the missing *.asm file(s). (There must be a better way of doing this than manually editing.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lpinca lpinca lpinca approved these changes

Assignees
No one assigned
Labels
build Issues and PRs related to build files or the CI. dependencies Pull requests that update a dependency file. lts-watch-v22.x PRs that may need to be released in v22.x needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. tools Issues and PRs related to the tools directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@richardlau @nodejs-github-bot @aduh95 @lpinca @targos