Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: describe OpenSSL maintenance strategy #677

Merged
merged 1 commit into from
Apr 4, 2019
Merged

doc: describe OpenSSL maintenance strategy #677

merged 1 commit into from
Apr 4, 2019

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented Mar 25, 2019

This replaces #479

@sam-github
Copy link
Contributor Author

I wish I made this a draft PR, but I don't seem able to change it after the fact.

I updated some text with current information about OpenSSL reease strategies, since OpenSSL 1.1.1 has been released, and has been designated LTS and support until 2023 has been committed to.

I have started to add information about OpenSSL 3.0.0 and FIPS.

I have not yet added information about TLS1.3 strategy.

All of which is to say, probably not worth reviewing yet.

@sam-github
Copy link
Contributor Author

@shigeki re: #479 (comment)

You bring up a couple issues:

  1. I believe you already updated the assembler requirements in node.js master, and this doesn't require mentioning in the policy document. Agreed?

  2. I am not familiar with the OpenSSL extensions described. The plan ATM is to land [v10.x backport] Update openssl1.1.1a node#26270, so 10.x's assembler requirements will become identical to 11.x (and master, and 12.x). Do you, or @nodejs/tsc @nodejs/crypto , see a problem with this?

If we add a new feature specific to 1.1.1, the API should check openssl version and be noted in the API doc

Maybe we should do this, but I don't believe we have to. Shared OpenSSL libraries are not supported by us, they do not necessarily support Node.js' APIs, they are probably not floating our patches, they may be several patch releases behind the version of OpenSSL we include, so have bugs our Node.js builds do not, and be missing features we have. I think we should continue to make a best effort to support shared openssll libraries, including feature detection, but I don't think we are required to document the effect of shared library builds in our documentation. For our own sanity, we probably need to keep the unit tests running against shared library builds, either against 1.1.0, or 1.1.1a. TLS1.3 won't work with OpenSSL < 1.1.1b, for example, and the Ed curves won't work with OpenSSL 1.1.0.

I'm in the middle of backporting TLS1.3 support to 11.x, and in the process I expect to run into some of the issues with shared library builds.

@sam-github
Copy link
Contributor Author

@shigeki and sorry, I forgot

For the API simplicity, I think it is better to support one release version of OpenSSL during LTS.

I'm not sure exactly what you mean, is it that:

  1. you object to updating OpenSSL from 1.1.0 to 1.1.1 during the 10.x lifetime (I don't think that's what you mean)
  2. once we update to 1.1.1 in 10.x, you suggest we stop supporting 1.1.0 as a shared library (this is very attractive, if possble)
  3. for 12.x and future LTS, we do not support shared OpenSSL libs that aren't the same version as "our" OpenSSL (this has happened already on master, 12.x won't build against 1.1.0).

OpenSSL-Strategy.md Show resolved Hide resolved
OpenSSL-Strategy.md Outdated Show resolved Hide resolved
OpenSSL-Strategy.md Outdated Show resolved Hide resolved
OpenSSL-Strategy.md Outdated Show resolved Hide resolved
OpenSSL-Strategy.md Outdated Show resolved Hide resolved
OpenSSL-Strategy.md Outdated Show resolved Hide resolved
support TLS 1.3, however Node.js' TLS1.3 support requires at least OpenSSL
1.1.1b.

### OpenSSL 3.0.0
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entire section is new, and has some bad news now that the OpenSSL project has released more information about their FIPS support plan, PTAL.

@mhdawson
Copy link
Member

mhdawson commented Apr 2, 2019

This is a great doc, let us know when it is ready to be reviewed/land.

It is unfortunately related to FIPS, but there is not much we can do.

OpenSSL-Strategy.md Outdated Show resolved Hide resolved
@sam-github
Copy link
Contributor Author

OK, @nodejs/crypto @nodejs/tsc I believe this describes current policy. Not that it can't change later :-).

Note in particular that 12.x will never support FIPS, because FIPS will require openssl 3.0.0 which will NOT be ABI compatible with openssl 1.1.1.

13.x Might support FIPS, depends on when its cut (its not in the release timeline yet)

So, there is pretty much guaranteed to be "FIPS gap". Not too sure what we can do about that. I suggest once Openssl 3.0.0 FIPS is closer to reality that we revisit, to see if there are any options.

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Good work.

@sam-github
Copy link
Contributor Author

@nodejs/tsc PTAL

https://github.com/sam-github/TSC/blob/openssl-strategy/OpenSSL-Strategy.md#nodejs-version-specific-strategy is the actual policy, the following sections are background information on Node.js and OpenSSL, for those interested.

@mhdawson mhdawson merged commit 03c36e1 into nodejs:master Apr 4, 2019
@ChALkeR
Copy link
Member

ChALkeR commented Apr 10, 2019

Belated LGTM. 🎉

@sam-github sam-github deleted the openssl-strategy branch April 24, 2019 21:48
Trott pushed a commit that referenced this pull request May 15, 2019
The OpenSSL policy changed over time:
- #364
- #479
- #677
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants