Update to openssl1.1.1a #25381
Closed
Update to openssl1.1.1a #25381
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
build
|
@sam-github Thanks for the PR. I could not imagine we can fix an async cipher error and that's a great work. For I'm in a business trip during this week, I'm going to take a detail look at this in later. |
danbev
approved these changes
Jan 8, 2019
|
@shigeki Enjoy your trip, I'll make sure you have time to review. ci: https://ci.nodejs.org/job/node-test-commit-linux-containered/9865/ Build and test against openssl 1.1.0 was the failure above. I'll look into it. |
sam-github
force-pushed
the
update_openssl1.1.1a
branch
from
8f1b9bd
to
e70a5e1
Compare
|
The last build passed on everything except ARM. |
This was referenced Jan 16, 2019
danbev
added a commit
to danbev/node
that referenced
this pull request
Jan 16, 2019
This commit updates option ciphers from 'RC4' to 'missing' in test/parallel/test-tls-handshake-error.js. The motivation for this change is that this test is verifying that a 'no ciphers match' error be thrown, but 'RC4' might be among the ciphers supported by the OpenSSL version when dynamically linking. I ran into this specific issue when dynamically linking against OpenSSL 1.1.1 on RHEL8 using nodejs#25381.
2 tasks
|
So, been more than a week, green in CI, one approval, I guess I could just land this... but it is a significant enough update I'd like a few more reviews! @nodejs/crypto @shigeki @rvagg @bnoordhuis @indutny 1.1.1 adds some crypto algs and minor features (like zero-length PKCS8 passphrases, @tniessen ), so I'm labelling |
sam-github
force-pushed
the
update_openssl1.1.1a
branch
from
d4bfbfb
to
fda3b55
Compare
|
Updated against node/master, squashed fixups, started a fresh CI. |
sam-github
added
the
semver-minor
danbev
added a commit
that referenced
this pull request
Jan 21, 2019
This commit updates option ciphers from 'RC4' to 'no-such-cipher' in test/parallel/test-tls-handshake-error.js. The motivation for this change is that this test is verifying that a 'no ciphers match' error be thrown, but 'RC4' might be among the ciphers supported by the OpenSSL version when dynamically linking. I ran into this specific issue when dynamically linking against OpenSSL 1.1.1 on RHEL8 using #25381. PR-URL: #25534 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
shigeki
approved these changes
Jan 21, 2019
There was a problem hiding this comment.
@sam-github Sorry for my late response. I checked your and my change commits and they are fine but some of my commits are missing commit descriptions.
I made a branch to fill the commit descriptions in https://github.com/shigeki/node/commits/PR25381.
Please rebase this to add the commit descriptions from 8e05aa0, fd5d8cb, 0dd90f3 and 01fcc96.
fd5d8cb is also fixed so as to fix within 50 chars for commit title.
Thanks for making this PR.
|
@shigeki Thanks for reviewing, I'll go through and rebase and fixup the messages. |
sam-github
force-pushed
the
update_openssl1.1.1a
branch
from
fda3b55
to
572326a
Compare
|
Added commit bodies from @shigeki, rebased, re-ci. |
|
|
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were moved to new attributes. Gyp and gypi file generations are needed to be fixed to include them.
Because llvm on MacOS does not support AVX-512, asm files need to be limited to AVX-2 support even when they are generated on Linux. fake_gcc.pl returns the fake llvm banner version for MacOS as if the assembler supports upto AVX-2. For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are rewritten into GNU makefile format by hand.
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules.
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need to be generated for the older assembler support to keep backward compatibilities.
BethGriggs
pushed a commit
that referenced
this pull request
Mar 28, 2019
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were moved to new attributes. Gyp and gypi file generations are needed to be fixed to include them. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs
pushed a commit
that referenced
this pull request
Mar 28, 2019
Because llvm on MacOS does not support AVX-512, asm files need to be limited to AVX-2 support even when they are generated on Linux. fake_gcc.pl returns the fake llvm banner version for MacOS as if the assembler supports upto AVX-2. For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are rewritten into GNU makefile format by hand. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs
pushed a commit
that referenced
this pull request
Mar 28, 2019
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs
pushed a commit
that referenced
this pull request
Mar 28, 2019
This gets better coverage of the codes, and is more explicit. It also works around ordering differences in the errors produced by openssl. The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared openssl. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs
pushed a commit
that referenced
this pull request
Apr 29, 2019
There is a description of how to use s_client for testing of renegotiation limits in the `tls` module documentation. The information is somewhat out of scope, but it also may be somewhat problematic due to changes/peculiarities (bugs?) in recent s_client. Remove the text. Refs: #25381 (comment) PR-URL: #25678 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
sam-github
pushed a commit
to sam-github/node
that referenced
this pull request
Apr 29, 2019
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Backport-PR-URL: nodejs#25688
Merged
BethGriggs
pushed a commit
that referenced
this pull request
May 10, 2019
There is a description of how to use s_client for testing of renegotiation limits in the `tls` module documentation. The information is somewhat out of scope, but it also may be somewhat problematic due to changes/peculiarities (bugs?) in recent s_client. Remove the text. Refs: #25381 (comment) PR-URL: #25678 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
sam-github
pushed a commit
to sam-github/node
that referenced
this pull request
May 10, 2019
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Backport-PR-URL: nodejs#25688
MylesBorins
pushed a commit
that referenced
this pull request
May 16, 2019
There is a description of how to use s_client for testing of renegotiation limits in the `tls` module documentation. The information is somewhat out of scope, but it also may be somewhat problematic due to changes/peculiarities (bugs?) in recent s_client. Remove the text. Refs: #25381 (comment) PR-URL: #25678 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
BethGriggs
added a commit
that referenced
this pull request
May 28, 2019
Notable changes:
- deps:
- icu 63.1 bump (CLDR 34) (Steven R. Loomis)
[#23715](#23715)
- upgrade npm to 6.9.0 (Kat Marchán)
[#26244](#26244)
- upgrade openssl sources to 1.1.1a (Sam Roberts)
[#25381](#25381)
- upgrade to libuv 1.24.1 (cjihrig)
[#25078](#25078)
- events: add once method to use promises with EventEmitter
(Matteo Collina) [#26078](#26078)
- n-api: mark thread-safe function as stable (Gabriel Schulhof)
[#25556](#25556)
- repl: support top-level for-await-of (Shelley Vohr)
[#23841](#23841)
- zlib:
- add brotli support (Anna Henningsen)
[#24938](#24938)
PR-URL: #27514
This was referenced May 29, 2019
BaochengSu
added a commit
to BaochengSu/node
that referenced
this pull request
Oct 22, 2020
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:openssl_1_1_1.patch Original commit message: Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3 Upstream commits: commit 8dd8033 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Sep 12 17:34:24 2018 +0900 tls: workaround handshakedone in renegotiation `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: nodejs#26270 PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> commit 161dca7 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 28 14:11:18 2018 -0800 tls: re-define max supported version as 1.2 Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658 PR-URL: nodejs#25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Partial port, remain compatible with 1.0.2: commit 970ce14 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Mar 14 14:26:55 2018 +0900 crypto: remove deperecated methods of TLS version All version-specific methods were deprecated in OpenSSL 1.1.0 and min/max versions explicitly need to be set. This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now. crypto, constants: add constant of OpenSSL-1.1.0 Several constants for OpenSSL-1.1.0 engine were removed and renamed in OpenSSL-1.1.0. This added one renamed constant in order to have a compatible feature with that of OpenSSL-1.0.2. Other missed or new constants in OpenSSL-1.1.0 are not yet added. crypto,tls,constants: remove OpenSSL1.0.2 support This is semver-majar change so that we need not to have compatibilities with older versions. Fixes: nodejs#4270 PR-URL: nodejs#19794 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
BaochengSu
added a commit
to BaochengSu/node
that referenced
this pull request
Jul 14, 2022
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:openssl_1_1_1.patch Original commit message: Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3 Upstream commits: commit 8dd8033 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Sep 12 17:34:24 2018 +0900 tls: workaround handshakedone in renegotiation `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: nodejs#26270 PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> commit 161dca7 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 28 14:11:18 2018 -0800 tls: re-define max supported version as 1.2 Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658 PR-URL: nodejs#25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Partial port, remain compatible with 1.0.2: commit 970ce14 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Mar 14 14:26:55 2018 +0900 crypto: remove deperecated methods of TLS version All version-specific methods were deprecated in OpenSSL 1.1.0 and min/max versions explicitly need to be set. This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now. crypto, constants: add constant of OpenSSL-1.1.0 Several constants for OpenSSL-1.1.0 engine were removed and renamed in OpenSSL-1.1.0. This added one renamed constant in order to have a compatible feature with that of OpenSSL-1.0.2. Other missed or new constants in OpenSSL-1.1.0 are not yet added. crypto,tls,constants: remove OpenSSL1.0.2 support This is semver-majar change so that we need not to have compatibilities with older versions. Fixes: nodejs#4270 PR-URL: nodejs#19794 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Most of this work comes from @shigeki, who got openssl 1.1.1 building and running across all Node's platforms.
Last time I tested this branch on ci it passed, and it passes locally.
I've done a fair amount of ABI testing, as well. It looks pretty compatible to me (as OpenSSL intended).
See #18770 (comment) (and around) for more information.
@nodejs/crypto , particularly @rvagg @shigeki
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes