OpenSSL 3.1 in Node 18

[krk]

Now that OpenSSL 3.1 is out, is there a plan to update Node 18 to use it?

[bnoordhuis]

Unlikely, for the following reason (from here):

Version 3.1 will be supported until 2025-03-14
Version 3.0 will be supported until 2026-09-07 (LTS)

Compare the release schedule for v18.x:

Release	Status	Codename	Initial Release	Active LTS Start	Maintenance Start	End-of-life
18.x	LTS	Hydrogen	2022-04-19	2022-10-25	2023-10-18	2025-04-30

IOW, openssl 3.1 goes EOL 1.5 month earlier than v18.x does.

We could bring v18.x's EOL date forward (we've done that before) but only when there's a really compelling reason. I don't think there's anything in 3.1 that would warrant such a move.

[richardlau]

cc @nodejs/lts @nodejs/releasers

I'm in agreement with @bnoordhuis -- it makes little sense to update to a non-LTS OpenSSL version in LTS Node.js 18. I'd go further and suggest that we keep the upcoming Node.js 20 on OpenSSL 3.0 as well -- the end of support date for OpenSSL 3.0 is after the end of support date for Node.js 20.

[krk]

Thank you for the explanation, it makes sense from a timeline perspective.

On the other hand, OpenSSL 3.1 contains multiple important performance fixes that openssl decided not to backport onto 3.0 because it requires an exception in their process.

Here are 3 commits that are not in 3.0, that speed up reading a certificate bundle from the OS (NODE_EXTRA_CA_CERTS) significantly: openssl/openssl#20421 (comment)

openssl/openssl#18846 has a list that references more performance issues that were fixed in 3.1 vs. 3.0.

Based on these performance issues and fixes, is it possible to reconsider upgrading Node 18 and 20 to OpenSSL 3.1?

[tniessen]

@krk We can likely add compatibility with OpenSSL 3.1 so that you can either build Node.js from source and link it against some OpenSSL 3.1 release or maybe even dynamically link against OpenSSL 3.1.

Beyond that, it remains very unlikely that our official builds will be linked against an OpenSSL version that will reach its end-of-life status so soon.

[bnoordhuis]

I don't think there's anything else to discuss so I'll go ahead and close this. LMK if there is reason to reopen.