Skip to content

Conversation

nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot nodejs-github-bot commented May 1, 2025

This is an automated update of OpenSSL to 3.0.17.

@nodejs-github-bot nodejs-github-bot added dependencies Pull requests that update a dependency file. openssl Issues and PRs related to the OpenSSL dependency. labels May 1, 2025
@nodejs-github-bot
Copy link
Collaborator Author

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label May 1, 2025
@richardlau richardlau added the blocked PRs that are blocked by other issues or PRs. label May 1, 2025
@richardlau
Copy link
Member

FYI I'm testing the automation.

@richardlau
Copy link
Member

richardlau commented May 1, 2025

@richardlau richardlau changed the title deps: update OpenSSL to 3.5.0 [do not land] deps: update OpenSSL to 3.5.0 May 1, 2025
@richardlau
Copy link
Member

Marked [do not land] (and labelled blocked). The intention is to land #58099 and #58100 and then run the updater workflow from main to do the proper upgrade (e.g. in this PR the commits from #58098 have been squashed into the first commit, which isn't what we want).

@nodejs-github-bot
Copy link
Collaborator Author

@richardlau
Copy link
Member

richardlau commented May 2, 2025

CI: https://ci.nodejs.org/job/node-test-pull-request/66533/

https://ci.nodejs.org/job/node-test-commit-linux/nodes=rhel8-x64/64390/console

02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s: Assembler messages:
02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s:85: Error: unsupported instruction `vpmadd52luq'
02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s:86: Error: unsupported instruction `vpmadd52luq'
...

So the build failures are a surprise as I wasn't seeing those locally (Linux x64). On further investigation it looks like some of the config files, specifically some of the assembly *.s files, are different when run on GitHub workflow vs generating them locally with deps/openssl/config/Dockerfile.

For example, compare

I think this is partly due to openssl/openssl#25751 and e.g.

# TODO: Find out the version of NASM that supports VEX-encoded AVX-IFMA instructions
if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
=~ /GNU assembler version ([2-9]\.[0-9]+)/) {
$avxifma = ($1>=2.40);
}
which is sensitive to GNU assembler version.

The version of GNU assembler in the Dockerfile (Ubuntu 20.04) is 2.34. My RHEL 9 build environment has GNU assembler 2.38. Both of those are less than 2.40. Ubuntu 24.04 appears to have GNU assembler 2.42, which passes the above check. The build in Jenkins will be running with different versions of GNU assembler depending on the installed version of binutils.

@nodejs-github-bot nodejs-github-bot changed the title [do not land] deps: update OpenSSL to 3.5.0 deps: update OpenSSL to 3.0.17 Jul 6, 2025
@richardlau richardlau closed this Jul 18, 2025
@richardlau richardlau deleted the actions/tools-update-openssl branch July 18, 2025 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

blocked PRs that are blocked by other issues or PRs. dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants