Missing OpenSSL strategy for v20 and beyond

[akirafujiu]

Hi team,

I'm following this documentation to understand the strategy for OpenSSL, but it is missing versions specific in Node.js v20 and beyond. Could someone please take a look to add that section if we had already something?

https://github.com/nodejs/TSC/blob/main/OpenSSL-Strategy.md

Background of this ask is, my application is running in Node.js v18 FIPS enabled on ubi8 image from RedHat with OpenSSL 1.1.1 FIPS. And currently I cannot move to ubi9 due to some internal restrictions. According to this comment,

First, Red Hat (as Operating System vendor) has decided that RHEL 8 has openssl 1.1.1 and therefore they will support the openssl in RHEL 8 as long as they support RHEL 8. At least to 2029.

I'm just curios if Node.js v20 can be with OpenSSL 1.1.1 as is in v18, and until when can it be with OpenSSL 1.1.1. Of course I acknowledge to update OpenSSL to v3. Thanks in advance!

[richardlau]

Background of this ask is, my application is running in Node.js v18 FIPS enabled on ubi8 image from RedHat with OpenSSL 1.1.1 FIPS. And currently I cannot move to ubi9 due to some internal restrictions. According to this comment,

First, Red Hat (as Operating System vendor) has decided that RHEL 8 has openssl 1.1.1 and therefore they will support the openssl in RHEL 8 as long as they support RHEL 8. At least to 2029.

Your question is really one for Red Hat, especially since you're running with FIPS enabled (on RHEL/UBI 8 you'll need to be using the nodejs rpms from AppStream which are linked against RHEL/UBI 8's openssl 1.1.1 for FIPS). Node.js has never officially supported FIPS on modified OpenSSL 1.1.1 (upstream OpenSSL had no FIPS support for OpenSSL 1.1.1 -- that was added by Linux vendors such as Red Hat and Ubuntu to their own distributions).

The release notes for RHEL 8.9 beta call out Node.js 20: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/8.9_release_notes/technology-previews#technology-previews-dynamic-programming-languages-web-and-database-servers
RHEL 8.9 is expected to be released later this year -- there should be corresponding UBI updates around the same time: https://access.redhat.com/support/policy/updates/errata/#RHEL8_Planning_Guide.

[akirafujiu]

Hi Richard, thank you. Understood.

Another question for RHEL 9.X. I believe OpenSSL 3.X gets default in there, and want to consume it along with Node.js v20. According to this section, is it true that Node.js v20 supports FIPS with OpenSSL 3.x, is my understanding correct?

Asking since this doc is missing explanation on Node.js 20 and beyond - back to the original question..

[richardlau]

Another question for RHEL 9.X. I believe OpenSSL 3.X gets default in there, and want to consume it along with Node.js v20. According to this section, is it true that Node.js v20 supports FIPS with OpenSSL 3.x, is my understanding correct?

Yes.

[akirafujiu]

I'm ok to close this issue though hoping strategy will be updated accordingly, since that document is a kind of official source on which developers and engineers are dependent.

[mhdawson]

I think leaving it open makes sense. It would be nice to have it updated, and this is a reminder if somebody has time to get to it.