-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: describe OpenSSL maintenance strategy #677
Conversation
I wish I made this a draft PR, but I don't seem able to change it after the fact. I updated some text with current information about OpenSSL reease strategies, since OpenSSL 1.1.1 has been released, and has been designated LTS and support until 2023 has been committed to. I have started to add information about OpenSSL 3.0.0 and FIPS. I have not yet added information about TLS1.3 strategy. All of which is to say, probably not worth reviewing yet. |
You bring up a couple issues:
Maybe we should do this, but I don't believe we have to. Shared OpenSSL libraries are not supported by us, they do not necessarily support Node.js' APIs, they are probably not floating our patches, they may be several patch releases behind the version of OpenSSL we include, so have bugs our Node.js builds do not, and be missing features we have. I think we should continue to make a best effort to support shared openssll libraries, including feature detection, but I don't think we are required to document the effect of shared library builds in our documentation. For our own sanity, we probably need to keep the unit tests running against shared library builds, either against 1.1.0, or 1.1.1a. TLS1.3 won't work with OpenSSL < 1.1.1b, for example, and the Ed curves won't work with OpenSSL 1.1.0. I'm in the middle of backporting TLS1.3 support to 11.x, and in the process I expect to run into some of the issues with shared library builds. |
@shigeki and sorry, I forgot
I'm not sure exactly what you mean, is it that:
|
OpenSSL-Strategy.md
Outdated
support TLS 1.3, however Node.js' TLS1.3 support requires at least OpenSSL | ||
1.1.1b. | ||
|
||
### OpenSSL 3.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This entire section is new, and has some bad news now that the OpenSSL project has released more information about their FIPS support plan, PTAL.
This is a great doc, let us know when it is ready to be reviewed/land. It is unfortunately related to FIPS, but there is not much we can do. |
OK, @nodejs/crypto @nodejs/tsc I believe this describes current policy. Not that it can't change later :-). Note in particular that 12.x will never support FIPS, because FIPS will require openssl 3.0.0 which will NOT be ABI compatible with openssl 1.1.1. 13.x Might support FIPS, depends on when its cut (its not in the release timeline yet) So, there is pretty much guaranteed to be "FIPS gap". Not too sure what we can do about that. I suggest once Openssl 3.0.0 FIPS is closer to reality that we revisit, to see if there are any options. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Good work.
@nodejs/tsc PTAL https://github.com/sam-github/TSC/blob/openssl-strategy/OpenSSL-Strategy.md#nodejs-version-specific-strategy is the actual policy, the following sections are background information on Node.js and OpenSSL, for those interested. |
Belated LGTM. 🎉 |
This replaces #479