Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 3.1 in Node 18 #47177

Closed
krk opened this issue Mar 20, 2023 · 5 comments
Closed

OpenSSL 3.1 in Node 18 #47177

krk opened this issue Mar 20, 2023 · 5 comments
Labels
openssl Issues and PRs related to the OpenSSL dependency. question Issues that look for answers.

Comments

@krk
Copy link
Contributor

krk commented Mar 20, 2023

Now that OpenSSL 3.1 is out, is there a plan to update Node 18 to use it?

@marco-ippolito marco-ippolito added question Issues that look for answers. openssl Issues and PRs related to the OpenSSL dependency. labels Mar 20, 2023
@bnoordhuis
Copy link
Member

Unlikely, for the following reason (from here):

Version 3.1 will be supported until 2025-03-14
Version 3.0 will be supported until 2026-09-07 (LTS)

Compare the release schedule for v18.x:

Release Status Codename Initial Release Active LTS Start Maintenance Start End-of-life
18.x LTS Hydrogen 2022-04-19 2022-10-25 2023-10-18 2025-04-30

IOW, openssl 3.1 goes EOL 1.5 month earlier than v18.x does.

We could bring v18.x's EOL date forward (we've done that before) but only when there's a really compelling reason. I don't think there's anything in 3.1 that would warrant such a move.

@richardlau
Copy link
Member

cc @nodejs/lts @nodejs/releasers

I'm in agreement with @bnoordhuis -- it makes little sense to update to a non-LTS OpenSSL version in LTS Node.js 18. I'd go further and suggest that we keep the upcoming Node.js 20 on OpenSSL 3.0 as well -- the end of support date for OpenSSL 3.0 is after the end of support date for Node.js 20.

@krk
Copy link
Contributor Author

krk commented Mar 27, 2023

Thank you for the explanation, it makes sense from a timeline perspective.

On the other hand, OpenSSL 3.1 contains multiple important performance fixes that openssl decided not to backport onto 3.0 because it requires an exception in their process.

Here are 3 commits that are not in 3.0, that speed up reading a certificate bundle from the OS (NODE_EXTRA_CA_CERTS) significantly: openssl/openssl#20421 (comment)

openssl/openssl#18846 has a list that references more performance issues that were fixed in 3.1 vs. 3.0.

Based on these performance issues and fixes, is it possible to reconsider upgrading Node 18 and 20 to OpenSSL 3.1?

@tniessen
Copy link
Member

@krk We can likely add compatibility with OpenSSL 3.1 so that you can either build Node.js from source and link it against some OpenSSL 3.1 release or maybe even dynamically link against OpenSSL 3.1.

Beyond that, it remains very unlikely that our official builds will be linked against an OpenSSL version that will reach its end-of-life status so soon.

@bnoordhuis
Copy link
Member

I don't think there's anything else to discuss so I'll go ahead and close this. LMK if there is reason to reopen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
openssl Issues and PRs related to the OpenSSL dependency. question Issues that look for answers.
Projects
None yet
Development

No branches or pull requests

5 participants