nodejs
build,deps,tools: prepare to update to OpenSSL 3.5
- test: prepare test-crypto-rsa-dsa for newer OpenSSL
Update
parallel/test-crypto-rsa-dsato prepare for updatingdeps/opensslto later versions of OpenSSL which support implicit rejections withRSA_PKCS1_PADDING. - build,deps,tools: prepare to update to OpenSSL 3.5
Update the updater script and files under
deps/openssl/configin preparation for updatingdeps/opensslto OpenSSL 3.5.
Note that this PR does not do the actual upgrade -- that should be handled by running the workflow after this lands.
This co-depends on https://github.com/nodejs/node/pull/58099, which needs to land before the updater script is run (it shouldn't matter in which order they land, but both that PR and this one are needed for the files in deps/openssl/config to be regenerated).
Can we backport this to LTS? Should we add the lts-watch labels?
I've stuck a watch label for Node.js 22 as we have to update that at some point because OpenSSL 3.0 reaches End-of-Life in September 2026 which is before the End-of-Life of Node.js 22 (end of April 2027).
For Node.js 20 we could stay on OpenSSL 3.0 as Node.js 20 will reach End-of-Life at the end of April 2026 which is prior to End-of-Life of OpenSSL 3.0. But we can have a separate discussion about how we would manage updates of OpenSSL across all of our LTS versions.
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 90.04%. Comparing base (7215d9b) to head (a82b3a8).
:warning: Report is 19 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #58100 +/- ##
=======================================
Coverage 90.04% 90.04%
=======================================
Files 648 648
Lines 191041 191041
Branches 37448 37450 +2
=======================================
+ Hits 172026 172029 +3
- Misses 11651 11652 +1
+ Partials 7364 7360 -4
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
- :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Moving this to draft. I ran a CI on https://github.com/richardlau/node-1/tree/openssl-3.5 (from which the commits in this PR are based) and that has failed to build on Windows: https://ci.nodejs.org/job/node-test-commit/79522/
I suspect we'll need to add even more entries into deps/openssl/config/Makefile_VC-WIN* for the missing *.asm file(s). (There must be a better way of doing this than manually editing.)
I tried the update script again with the changes from this PR on my fork: https://github.com/targos/node/pull/27 Workflow run: https://github.com/targos/node/actions/runs/15186079568 It does the job fine without https://github.com/nodejs/node/pull/58099
^ Which makes sense now that I think about it again. The "Regenerate platform specific files" step has access to the files even though they are ignored by git.
I'm preparing a PR to restore the necessary files.
Just want to clarify that I am not actively working on this and do not have the bandwidth at the moment
Just want to clarify that I am not actively working on this and do not have the bandwidth at the moment
FTR I am intending to continue work on this, but have been distracted by my imminent move from Red Hat to IBM.
The issues that still need to be resolved (I don't think these should be hard but will take some time):
tools/dep_updaters/update-openssl.shneeds to be using the Dockerfile indeps/openssl/config/Dockerfileto prevent generation of assembler instructions that are incompatible with older versions of GNU assembler.- Generation of additional Windows assembler files need to be added to:
deps/openssl/config/Makefile_VC-WIN32(technically not needed formain/Node.js 24 but we do need this for older LTS lines)deps/openssl/config/Makefile_VC-WIN64-ARMdeps/openssl/config/Makefile_VC-WIN64A
I've updated this PR. I've tested it on my fork which opened a pull request against my fork updating to OpenSSL 3.5.1 that I ran a CI on which was yellow (i.e. good enough to land). For good measure, I'm running through the same testing again now that I've squashed commits together prior to updating this PR.
Again, a reminder that this PR doesn't contain the OpenSSL update -- it updates the scripts so that the OpenSSL update GitHub workflow will perform the update when run.
The config generation now runs in the existing container which for now will keep us on an older version of GNU Assembler that will result in generated assembler being compatible with the version of GNU assembler currently used in the older Linux distributions we support.
A significant delay in getting this PR working (other than the distraction of my prolonged change of employer) was debugging issues with extending the handcrafted Windows makefiles in deps/openssl/config.
(FYI if there are any changes requested/needed, I'm out of office next week and may not be responsive until I'm back.)
Landed in 0259df9faf9ff782c417552f4ce3ed96dc9f3254...7232f09995b537a0fff8769ab3947e294084bec1
