Skip to content

build,deps,tools: prepare to update to OpenSSL 3.5 #58100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

build,deps,tools: prepare to update to OpenSSL 3.5 #58100

wants to merge 2 commits into from

Conversation

richardlau
Copy link
Member

@richardlau richardlau commented May 1, 2025
edited
Loading

  • test: prepare test-crypto-rsa-dsa for newer OpenSSL
    Update parallel/test-crypto-rsa-dsa to prepare for updating
    deps/openssl to later versions of OpenSSL which support implicit
    rejections with RSA_PKCS1_PADDING.
  • build,deps,tools: prepare to update to OpenSSL 3.5
    Update the updater script and files under deps/openssl/config in
    preparation for updating deps/openssl to OpenSSL 3.5.

Note that this PR does not do the actual upgrade -- that should be handled by running the workflow after this lands.

This builds upon work started by @targos in #57795.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/gyp
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. tools Issues and PRs related to the tools directory. labels May 1, 2025
This was referenced May 1, 2025
Closed
Closed
@richardlau richardlau force-pushed the prepare-for-openssl-3.5 branch from f44bef3 to 6abfd51 Compare May 1, 2025 17:59
@richardlau richardlau mentioned this pull request May 1, 2025
Closed
@aduh95
Copy link
Contributor

aduh95 commented May 1, 2025
edited
Loading

Can we backport this to LTS? Should we add the lts-watch labels?

@richardlau richardlau added lts-watch-v20.x PRs that may need to be released in v20.x lts-watch-v22.x PRs that may need to be released in v22.x and removed lts-watch-v20.x PRs that may need to be released in v20.x labels May 1, 2025
@richardlau
Copy link
Member Author

Can we backport this to LTS? Should we add the lts-watch labels?

I've stuck a watch label for Node.js 22 as we have to update that at some point because OpenSSL 3.0 reaches End-of-Life in September 2026 which is before the End-of-Life of Node.js 22 (end of April 2027).

For Node.js 20 we could stay on OpenSSL 3.0 as Node.js 20 will reach End-of-Life at the end of April 2026 which is prior to End-of-Life of OpenSSL 3.0. But we can have a separate discussion about how we would manage updates of OpenSSL across all of our LTS versions.

@codecov Codecov
Copy link

codecov bot commented May 1, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.04%. Comparing base (7215d9b) to head (a82b3a8).
⚠️ Report is 19 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #58100   +/-   ##
=======================================
  Coverage   90.04%   90.04%           
=======================================
  Files         648      648           
  Lines      191041   191041           
  Branches    37448    37450    +2     
=======================================
+ Hits       172026   172029    +3     
- Misses      11651    11652    +1     
+ Partials     7364     7360    -4

see 30 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label May 1, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label May 1, 2025
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@richardlau richardlau marked this pull request as draft May 2, 2025 02:35
@richardlau

This comment was marked as outdated.

Sign in to view
@targos

This comment was marked as outdated.

Sign in to view
@targos

This comment was marked as outdated.

Sign in to view
@targos

This comment was marked as outdated.

Sign in to view
@trivikr trivikr mentioned this pull request Jun 27, 2025
Open
@targos
Copy link
Member

targos commented Jun 30, 2025

Just want to clarify that I am not actively working on this and do not have the bandwidth at the moment

@richardlau
Copy link
Member Author

Just want to clarify that I am not actively working on this and do not have the bandwidth at the moment

FTR I am intending to continue work on this, but have been distracted by my imminent move from Red Hat to IBM.

The issues that still need to be resolved (I don't think these should be hard but will take some time):

  1. tools/dep_updaters/update-openssl.sh needs to be using the Dockerfile in deps/openssl/config/Dockerfile to prevent generation of assembler instructions that are incompatible with older versions of GNU assembler.
  2. Generation of additional Windows assembler files need to be added to:
    • deps/openssl/config/Makefile_VC-WIN32 (technically not needed for main/Node.js 24 but we do need this for older LTS lines)
    • deps/openssl/config/Makefile_VC-WIN64-ARM
    • deps/openssl/config/Makefile_VC-WIN64A

@willfarrell willfarrell mentioned this pull request Jul 2, 2025
Open
richardlau and others added 2 commits July 25, 2025 14:28
@richardlau
test: prepare test-crypto-rsa-dsa for newer OpenSSL
70bf05b 
Update `parallel/test-crypto-rsa-dsa` to prepare for updating
`deps/openssl` to later versions of OpenSSL which support implicit
rejections with `RSA_PKCS1_PADDING`.
@richardlau @targos
build,deps,tools: prepare to update to OpenSSL 3.5
a82b3a8 
Update the updater script and files under `deps/openssl/config` in
preparation for updating `deps/openssl` to OpenSSL 3.5.

Co-Authored-By: Michaël Zasso <[email protected]>
@richardlau richardlau force-pushed the prepare-for-openssl-3.5 branch from 6abfd51 to a82b3a8 Compare July 25, 2025 14:31
@richardlau richardlau marked this pull request as ready for review July 25, 2025 14:35
@richardlau
Copy link
Member Author

I've updated this PR. I've tested it on my fork which opened a pull request against my fork updating to OpenSSL 3.5.1 that I ran a CI on which was yellow (i.e. good enough to land). For good measure, I'm running through the same testing again now that I've squashed commits together prior to updating this PR.

Again, a reminder that this PR doesn't contain the OpenSSL update -- it updates the scripts so that the OpenSSL update GitHub workflow will perform the update when run.

The config generation now runs in the existing container which for now will keep us on an older version of GNU Assembler that will result in generated assembler being compatible with the version of GNU assembler currently used in the older Linux distributions we support.

A significant delay in getting this PR working (other than the distraction of my prolonged change of employer) was debugging issues with extending the handcrafted Windows makefiles in deps/openssl/config.

(FYI if there are any changes requested/needed, I'm out of office next week and may not be responsive until I'm back.)

@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label Jul 25, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jul 25, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/68197/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/68199/

@richardlau richardlau added commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. commit-queue Add this label to land a pull request using GitHub Actions. labels Jul 25, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 26, 2025
@nodejs-github-bot
Copy link
Collaborator

Landed in 0259df9...7232f09

nodejs-github-bot pushed a commit that referenced this pull request Jul 26, 2025
@richardlau @nodejs-github-bot
test: prepare test-crypto-rsa-dsa for newer OpenSSL
cb531b0 
Update `parallel/test-crypto-rsa-dsa` to prepare for updating
`deps/openssl` to later versions of OpenSSL which support implicit
rejections with `RSA_PKCS1_PADDING`.

PR-URL: #58100
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
nodejs-github-bot pushed a commit that referenced this pull request Jul 26, 2025
@richardlau @targos @nodejs-github-bot
build,deps,tools: prepare to update to OpenSSL 3.5
7232f09 
Update the updater script and files under `deps/openssl/config` in
preparation for updating `deps/openssl` to OpenSSL 3.5.

Co-Authored-By: Michaël Zasso <[email protected]>
PR-URL: #58100
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
aduh95 pushed a commit that referenced this pull request Jul 27, 2025
@richardlau @aduh95
test: prepare test-crypto-rsa-dsa for newer OpenSSL
39978f5 
Update `parallel/test-crypto-rsa-dsa` to prepare for updating
`deps/openssl` to later versions of OpenSSL which support implicit
rejections with `RSA_PKCS1_PADDING`.

PR-URL: #58100
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
aduh95 pushed a commit that referenced this pull request Jul 27, 2025
@richardlau @targos @aduh95
build,deps,tools: prepare to update to OpenSSL 3.5
dc66422 
Update the updater script and files under `deps/openssl/config` in
preparation for updating `deps/openssl` to OpenSSL 3.5.

Co-Authored-By: Michaël Zasso <[email protected]>
PR-URL: #58100
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
@aduh95 aduh95 deleted the prepare-for-openssl-3.5 branch July 28, 2025 09:14
@github-actions github-actions bot mentioned this pull request Jul 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@panva panva panva approved these changes

@jasnell jasnell jasnell approved these changes

@lpinca lpinca lpinca approved these changes

@anonrig anonrig anonrig approved these changes

@targos targos targos approved these changes

Assignees
No one assigned
Labels
build Issues and PRs related to build files or the CI. commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. dependencies Pull requests that update a dependency file. lts-watch-v22.x PRs that may need to be released in v22.x needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. tools Issues and PRs related to the tools directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@richardlau @nodejs-github-bot @aduh95 @targos @panva @jasnell @lpinca @anonrig