TSC icon indicating copy to clipboard operation
TSC copied to clipboard
verified publisher icon nodejs

Missing OpenSSL strategy for v20 and beyond

Open akirafujiu opened this issue 2 years ago • 6 comments

Hi team,

I'm following this documentation to understand the strategy for OpenSSL, but it is missing versions specific in Node.js v20 and beyond. Could someone please take a look to add that section if we had already something?

https://github.com/nodejs/TSC/blob/main/OpenSSL-Strategy.md

Background of this ask is, my application is running in Node.js v18 FIPS enabled on ubi8 image from RedHat with OpenSSL 1.1.1 FIPS. And currently I cannot move to ubi9 due to some internal restrictions. According to this comment,

First, Red Hat (as Operating System vendor) has decided that RHEL 8 has openssl 1.1.1 and therefore they will support the openssl in RHEL 8 as long as they support RHEL 8. At least to 2029.

I'm just curios if Node.js v20 can be with OpenSSL 1.1.1 as is in v18, and until when can it be with OpenSSL 1.1.1. Of course I acknowledge to update OpenSSL to v3. Thanks in advance!

akirafujiu avatar Oct 31 '23 05:10 akirafujiu

Background of this ask is, my application is running in Node.js v18 FIPS enabled on ubi8 image from RedHat with OpenSSL 1.1.1 FIPS. And currently I cannot move to ubi9 due to some internal restrictions. According to this comment,

First, Red Hat (as Operating System vendor) has decided that RHEL 8 has openssl 1.1.1 and therefore they will support the openssl in RHEL 8 as long as they support RHEL 8. At least to 2029.

Your question is really one for Red Hat, especially since you're running with FIPS enabled (on RHEL/UBI 8 you'll need to be using the nodejs rpms from AppStream which are linked against RHEL/UBI 8's openssl 1.1.1 for FIPS). Node.js has never officially supported FIPS on modified OpenSSL 1.1.1 (upstream OpenSSL had no FIPS support for OpenSSL 1.1.1 -- that was added by Linux vendors such as Red Hat and Ubuntu to their own distributions).

The release notes for RHEL 8.9 beta call out Node.js 20: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/8.9_release_notes/technology-previews#technology-previews-dynamic-programming-languages-web-and-database-servers RHEL 8.9 is expected to be released later this year -- there should be corresponding UBI updates around the same time: https://access.redhat.com/support/policy/updates/errata/#RHEL8_Planning_Guide.

richardlau avatar Oct 31 '23 15:10 richardlau

Hi Richard, thank you. Understood.

Another question for RHEL 9.X. I believe OpenSSL 3.X gets default in there, and want to consume it along with Node.js v20. According to this section, is it true that Node.js v20 supports FIPS with OpenSSL 3.x, is my understanding correct?

Asking since this doc is missing explanation on Node.js 20 and beyond - back to the original question..

akirafujiu avatar Nov 01 '23 02:11 akirafujiu

Another question for RHEL 9.X. I believe OpenSSL 3.X gets default in there, and want to consume it along with Node.js v20. According to this section, is it true that Node.js v20 supports FIPS with OpenSSL 3.x, is my understanding correct?

Yes.

richardlau avatar Nov 01 '23 17:11 richardlau

I'm ok to close this issue though hoping strategy will be updated accordingly, since that document is a kind of official source on which developers and engineers are dependent.

akirafujiu avatar Nov 02 '23 12:11 akirafujiu

I think leaving it open makes sense. It would be nice to have it updated, and this is a reminder if somebody has time to get to it.

mhdawson avatar Jan 22 '24 20:01 mhdawson