End-of-Life dates of Node.js 16 and OpenSSL 1.1.1 do not align #1222
Comments
|
If I had to express a personal preference right now I would lean towards bringing forward the End-of-Life date of Node.js 16 to September 2023. At that point in time Node.js 18 would be in active LTS (transitioning into maintenance in October 2023). |
I concur. |
|
I concur. |
|
I also concur. |
|
I believe this was discussed before and at that point, if I remember correctly, the solution that seemed most likely was switching to OpenSSL 3 even if it is a breaking change. That does seem risky though, and it might be simpler to cut support for Node.js 16 off earlier as planned. |
|
I think we should end support early and announce it as soon as possible (and update the chart in the release repository and so on). That also gives us more runway to change our minds. |
|
My initial thought is end support early as well, announcing as soon as we have agreement on the approach. |
|
+1 to ending support early. |
|
+1 to ending support early, as well (and announcing as soon as possible). |
|
I'm okay with ending support early. |
|
@mhdawson and I are currently exploring whether we can use Red Hat work to support OpenSSL 1.1.1 in RHEL 8 to potentially keep the existing End-of-Life date of Node.js 16 (April 2024). |
|
+1 on ending support early |
The outcome of this investigation is that unfortunately the version of openssl maintained in CentOS Stream 8 has enough differences from upstream OpenSSL 1.1.1 that making a switch to that would also result in potential breakages. For example:
Missing cryptographic curves from CentOS Stream 8 openssl when compared to Node.js 16.15.0 |
Update schedule, README table and chart to reflect the change to Node.js 16's End-of-Life date to September 11, 2023. Move Node.js 17 to End-of-Life table. Refs: nodejs/TSC#1222 Refs: nodejs/nodejs.org#4629
Update schedule, README table and chart to reflect the change to Node.js 16's End-of-Life date to September 11, 2023. Move Node.js 17 to End-of-Life table. Refs: nodejs/TSC#1222 Refs: nodejs/nodejs.org#4629
|
The announcement was published and the release schedule updated. |
|
I missed a reference to the old date in the CHANGELOG: nodejs/node#45103 |
Node.js 16's End-of-Life date was brought forward to coincide with the end of support for upstream OpenSSL 1.1.1. PR-URL: #45103 Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol/ Refs: nodejs/Release#752 Refs: nodejs/TSC#1222 Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Node.js 16's End-of-Life date was brought forward to coincide with the end of support for upstream OpenSSL 1.1.1. PR-URL: #45103 Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol/ Refs: nodejs/Release#752 Refs: nodejs/TSC#1222 Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Node.js 16's End-of-Life date was brought forward to coincide with the end of support for upstream OpenSSL 1.1.1. PR-URL: #45103 Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol/ Refs: nodejs/Release#752 Refs: nodejs/TSC#1222 Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Node.js 16's End-of-Life date was brought forward to coincide with the end of support for upstream OpenSSL 1.1.1. PR-URL: #45103 Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol/ Refs: nodejs/Release#752 Refs: nodejs/TSC#1222 Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Node.js 16's End-of-Life date was brought forward to coincide with the end of support for upstream OpenSSL 1.1.1. PR-URL: #45103 Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol/ Refs: nodejs/Release#752 Refs: nodejs/TSC#1222 Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Node.js 16's End-of-Life date was brought forward to coincide with the end of support for upstream OpenSSL 1.1.1. PR-URL: #45103 Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol/ Refs: nodejs/Release#752 Refs: nodejs/TSC#1222 Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
When we drafted the Node.js 16 section of the OpenSSL strategy document (#859) the expectation was that OpenSSL 3 would be released before or around Node.js 16. This didn't happen and we had to release Node.js 16 still on OpenSSL 1.1.1.
Unfortunately OpenSSL 1.1.1 is due to stop receiving updates in September 2023 which is seven months before Node.js 16's End-of-Life date of April 2024.
https://www.openssl.org/policies/releasestrat.html
We need to make a decision regarding what to do about this discrepancy. Our options include:
node/openssl/ssl.hshould compile without any additional defines node#40575). We've had to adjust error message checks in several Node.js tests for OpenSSL 3 and I have no idea if any modules out there would be affected in the same way.* Node.js 16 is actually using the quictls fork of OpenSSL 1.1.1. I see nothing to suggest that they would continue to provide support for OpenSSL 1.1.1 beyond upstream OpenSSL's planned end of support date.
cc @nodejs/crypto @nodejs/lts @nodejs/tsc
The text was updated successfully, but these errors were encountered: