deps: define OPENSSLDIR and ENGINESDIR explicitly #29455
Conversation
According to CVE-2019-1552(*), it is encouraged to change OPENSSLDIR from the default of /usr/local/ssl to a privileged directory on Windows. "C:\Program Files\Common Files\SSL" is set as it is the default path in OpenSSL-1.1.1. (*) https://www.openssl.org/news/secadv/20190730.txt Fixes: nodejs#29445
shigeki
added
openssl
|
@nodejs/tsc opinions? @nodejs/lts ? I'm OK with following @shigeki's advice: don't fix, its low priority and on an almost EOL release line. @nodejs/platform-windows , you should take careful note -- this is specific to Windows, do you have an opinion? |
sam-github
added
the
tsc-agenda
|
I'm OK with following @shigeki's advice as well. Once concern is what happens if you upgrade from an earlier version and had config files in /usr/local/ssl. Would you run without the configuration you expected and not know it? Maybe we should look to see if there is config in /usr/local/ssl and warn that it's not going to be used in the current version? |
|
I'm OK with following @shigeki's advice: don't fix, its low priority and on an almost EOL release line. |
It depends.
|
Trott
removed
the
tsc-agenda
|
It looks like we're agreeing to not land this change in v8.x? |
|
Close this for we agreed not to land this. |
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: nodejs#29456 Refs: nodejs#29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: #29456 Refs: #29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: #29456 Refs: #29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: #29456 Refs: #29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
According to CVE-2019-1552(*), it is encouraged to change
OPENSSLDIRfrom the default of /usr/local/ssl to a privileged directory on Windows. "C:\Program Files\Common Files\SSL" is set as it is the default path in OpenSSL-1.1.1.This is also described in openssl/openssl@d333eba for the forthcoming release of OpenSSL-1.0.2t.
It breaks the compatibility of the
OPENSSLDIRpath with the previous v8 LTS releases. For v8 LTS will be ended after 4 months and its severity is LOW, I do not mind if this is not fixed.(*) https://www.openssl.org/news/secadv/20190730.txt
Fixes: #29445
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes