Node v10.7.0 fails to build against system openssl 1.0.2

[debohman]

• Version: v10.7.0
• Platform: macOS 10.12.6
• Subsystem: openssl 1.0.2o

Configure line:

./configure --with-intl=system-icu --without-dtrace --without-npm --shared-openssl --shared-zlib

Build failure:

c++ '-D_DARWIN_USE_64_BIT_INODE=1' '-DNODE_ARCH="x64"' '-DNODE_WANT_INTERNALS=1' '-DV8_DEPRECATION_WARNINGS=1' '-DNODE_OPENSSL_SYSTEM_CERT_PATH=""' '-DHAVE_INSPECTOR=1' '-D__POSIX__' '-DNODE_USE_V8_PLATFORM=1' '-DNODE_HAVE_I18N_SUPPORT=1' '-DNODE_PLATFORM="darwin"' '-DHAVE_OPENSSL=1' '-DHTTP_PARSER_STRICT=0' '-D_LARGEFILE_SOURCE' '-D_FILE_OFFSET_BITS=64' '-DNGHTTP2_STATICLIB' -I/usr/local/include -I../src -I/tera/tera/debo/Projects/nodejs/node-v10.7.0/out/Release/obj/gen -I/tera/tera/debo/Projects/nodejs/node-v10.7.0/out/Release/obj/gen/include -I/tera/tera/debo/Projects/nodejs/node-v10.7.0/out/Release/obj/gen/src -I../deps/v8/include -I../deps/http_parser -I../deps/cares/include -I../deps/uv/include -I../deps/nghttp2/lib/includes -Os -gdwarf-2 -mmacosx-version-min=10.7 -arch x86_64 -Wall -Wendif-labels -W -Wno-unused-parameter -std=gnu++1y -stdlib=libc++ -fno-rtti -fno-exceptions -fno-threadsafe-statics -fno-strict-aliasing -MMD -MF /tera/tera/debo/Projects/nodejs/node-v10.7.0/out/Release/.deps//tera/tera/debo/Projects/nodejs/node-v10.7.0/out/Release/obj.target/node_lib/src/node.o.d.raw -c -o /tera/tera/debo/Projects/nodejs/node-v10.7.0/out/Release/obj.target/node_lib/src/node.o ../src/node.cc
In file included from ../src/node.cc:39:
../src/node_crypto.h:82:46: error: use of undeclared identifier 'EVP_MD_CTX_free'; did you mean 'EVP_MD_CTX_create'?
using EVPMDPointer = DeleteFnPtr<EVP_MD_CTX, EVP_MD_CTX_free>;
^~~~~~~~~~~~~~~
EVP_MD_CTX_create
/usr/local/include/openssl/evp.h:588:13: note: 'EVP_MD_CTX_create' declared here
EVP_MD_CTX *EVP_MD_CTX_create(void);
^
In file included from ../src/node.cc:39:
../src/node_crypto.h:82:46: error: non-type template argument of type 'EVP_MD_CTX *()' (aka 'env_md_ctx_st ()') cannot
be converted to a value of type 'void ()(env_md_ctx_st *)'
using EVPMDPointer = DeleteFnPtr<EVP_MD_CTX, EVP_MD_CTX_free>;
^~~~~~~~~~~~~~~
../src/util.h:476:30: note: template parameter is declared here
template <typename T, void (function)(T)>
^
In file included from ../src/node.cc:39:
../src/node_crypto.h:438:25: error: use of undeclared identifier 'HMAC_CTX_free'
DeleteFnPtr<HMAC_CTX, HMAC_CTX_free> ctx_;
^
../src/node_crypto.h:434:5: error: cannot initialize object parameter of type 'node::BaseObject' with an expression of
type 'node::crypto::Hmac'
MakeWeak();
^~~~~~~~
../src/node_crypto.h:465:3: error: unknown type name 'EVPMDPointer'; did you mean 'EVPKeyPointer'?
EVPMDPointer mdctx_;
^~~~~~~~~~~~
EVPKeyPointer
../src/node_crypto.h:80:7: note: 'EVPKeyPointer' declared here
using EVPKeyPointer = DeleteFnPtr<EVP_PKEY, EVP_PKEY_free>;
^
../src/node_crypto.h:495:3: error: unknown type name 'EVPMDPointer'; did you mean 'EVPKeyPointer'?
EVPMDPointer mdctx_;
^~~~~~~~~~~~
EVPKeyPointer
../src/node_crypto.h:80:7: note: 'EVPKeyPointer' declared here
using EVPKeyPointer = DeleteFnPtr<EVP_PKEY, EVP_PKEY_free>;
^
6 errors generated.
make[1]: *** [/tera/tera/debo/Projects/nodejs/node-v10.7.0/out/Release/obj.target/node_lib/src/node.o] Error 1
rm 540f4778fec392b8a6d908909426fa0db62457ce.intermediate 28b4ba4b0d0c4829bf1ddf4682d626dfaea53d8a.intermediate
make: *** [node] Error 2

[richardlau]

I don't believe anything was done to maintain compatibility with openssl 1.0.2 when we updated to 1.1.0. See #19794, in particular:

let's just land pure 1.1.0 support and ditch 1.0.2 support. It's something that could be added in afterward, during 10.x Current if enough people yelp.

#19794 (comment)

[debohman]

Openssl 1.0.2 is LTS. Node should be able to build against it.

[rvagg]

The current state of 1.0.2 in Node 10 is that it should be entirely possible to get to 1.0.2 backward compatibility but that work has not been done. There will be some awkward bits that will likely mean slabs of functionality is disabled if you build against 1.0.2 and this has the potential to make documentation and user support very awkward!

This is something that would be a good contribution from someone with expertise in this area who is looking for a place to contribute. Unfortunately the time available to the few people in @nodejs/crypto with the skills to do this is very limited.

[tniessen]

Openssl 1.0.2 is LTS. Node should be able to build against it.

It is LTS, yes, but it is close to its end-of-life. OpenSSL will only support 1.0.2 for another year while we need to provide support for Node.js 10.x for more than two more years. The upcoming OpenSSL 1.1.1 release will be the next LTS version and should be mostly compatible with OpenSSL 1.1.0.

Node.js 8.x still supports OpenSSL 1.0.2 (currently 1.0.2o):

The 8.x Maintenance LTS cycle is currently scheduled to expire early on December 31, 2019 to align with the scheduled End-of-Life of OpenSSL-1.0.2.

Why do you need to use 1.0.2 with Node 10? Every solution we can come up with is bound to exist for a year only, and then we will have people running into the same problem again.

[debohman]

Why do you need to use 1.0.2 with Node 10? Every solution we can come up with is bound to exist for a year only, and then we will have people running into the same problem again.

SSL latest 1.0.2 is what I had installed on my system in /usr/local when I tried to build Node 10. I ran into problems with SSL 1.1.0 earlier this year so I held off installing it.

I was just surprised by the build failure, I could not find any mention of the build version dependency.

Given that this appears to be expected, I'll make a note of it for the future.

[tniessen]

Can you try building against OpenSSL 1.1.0 again? It should also be possible to use a locally built and statically linked version of OpenSSL if you cannot install it system-wide.

[debohman]

I have since installed SSL 1.1.0 in /usr/local, and Node 10 builds successfully now.

I made a note of this issue. I think we can close this now, but perhaps it might be helpful to put an explicit notation in BUILDING.md about the dependency.

[tniessen]

Thank you for testing it, @debohman!

@rvagg Is OpenSSL 1.0.2 support in Node 10 something we actually need? It won't last for more than a year anyway, and people should be transitioning to OpenSSL 1.1.0 already.

[rvagg]

@tniessen nope, which is why nobody on the team has done the work, as far as I remember (my memory is maybe not the most reliable) we agreed to be open to PRs adding support if someone did the work. It's all in the TSC repo PR discussion where I proposed the OpenSSL policy doc.

[mgttt]

I'm working on an addon that need to wrap a .so depends on openssl 1.0.X. It make segfault when try to run in node v10+... all I can do now is using node v8 for tmp solution. It would be very very thankful to anyone give some inspiring suggestions.... thanks!

[tniessen]

@wanjochan As I said before, OpenSSL 1.0.x won't be supported for long, so all existing applications should move to newer releases. The best course of action would be to try to make the library compatible to OpenSSL 1.1.0.

[debohman]

Note that OpenSSL 1.1.0 goes out of support on 11th September 2019. I have verified that node 11.6.0 does not build against OpenSSL 1.1.1a.

[tniessen]

@debohman ref #18770

[mgttt]

@tniessen @debohman Thanks, and I've found a good solution to solve the problem. In short, using a fork() to load the addon module (w/ ssl1.0.x) in child proc by using LD_PRELOAD env variable and do bi-talk with main process (using ssl1.1.x). Hope it helps fellows that had same issues as I did.

[debohman]

I did get node 11.6.0 to build against OpenSSL 1.1.1a. There is a problem with the node build system, which I worked around. I will file a separate bug for that.