From b3397f14434b06d5bc0bce78a45498433a4b0ab9 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Thu, 8 Apr 2021 11:00:32 +0200 Subject: [PATCH] doc: add quictls/openssl info in OpenSSL strategy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit updates the OpenSSL strategy document to include information about the usage of quictls/openssl in 16.x. PR-URL: https://github.com/nodejs/TSC/pull/1010 Reviewed-By: Matteo Collina Reviewed-By: Colin Ihrig Reviewed-By: Tobias Nießen Reviewed-By: Michael Dawson --- OpenSSL-Strategy.md | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/OpenSSL-Strategy.md b/OpenSSL-Strategy.md index 6b5ab833..43ff18d7 100644 --- a/OpenSSL-Strategy.md +++ b/OpenSSL-Strategy.md @@ -123,7 +123,11 @@ Node.js EOL dates: ## Node.js version 15.x (est. Oct 2020) (EOL Jun 2021) -* OpenSSL version: 1.1.1 +* quictls/OpenSSL version: 1.1.1+quic +Node.js currently uses a temporary OpenSSL fork, which closely tracks the main +openssl/openssl releases with the addition of APIs to support the QUIC protocol. +Details on the fork, as well as the latest sources, can be found at +. * Allowed shared OpenSSL version: 1.1.1 * Default minimum TLS version is TLSv1.2, default maximum is TLSv1.3. TLSv1 and TLSv1.1 are *not* supported by default, only by explicit run-time @@ -137,8 +141,13 @@ of 15.x (which is only about 8 months), that experimental support for OpenSSL ## Node.js version 16.x (est Apr 2021) (EOL Apr 2024) -* OpenSSL version: 3.x (because of OpenSSL EOL) -* Allowed shared OpenSSL version: 1.1.1 (proposed...) +* quictls/OpenSSL version: openssl-3.0.0+quic +Node.js currently uses a temporary OpenSSL fork, which closely tracks the main +openssl/openssl releases with the addition of APIs to support the QUIC protocol. +This will be used until OpenSSL releases support for the QUIC protocol. Details +on the fork, as well as the latest sources, can be found at +. +* Allowed shared OpenSSL version: 3.0.0, 3.0.0+quic, 1.1.1, 1.1.1+quic * Default minimum TLS version is TLSv1.2, default maximum is TLSv1.3. TLSv1 and TLSv1.1 are *not* supported by default, only by explicit run-time configuration. @@ -154,6 +163,11 @@ a `semver-minor` (ABI, API, and behavioural compatible) update to 16.x. For minimal disruption, it would probably be helpful if Node.js supported building against OpenSSL 1.1.1 out-of-tree, even if OpenSSL 3.x was in-tree. +The plan described above is to: + +* Once OpenSSL has been updated with support for the QUIC protocol replace the +temporary quictls/openssl depencency with it. + Challenges are: 1. OpenSSL 3.x moved many algorithms into a legacy library, that is only @@ -165,9 +179,6 @@ Challenges are: APIs, but the alternatives to those deprecated APIs do not exist in OpenSSL 1.1.1. So, Node.js 16.x either needs to ship calling deprecated APIs, or break compatibility with OpenSSL 1.1.1 (so it will _only build with 3.x_). -4. Behavioural differences in OpenSSL 3.x currently fail many tests in the - Node.js master test suite (effort to fix this is unknown, impact of fixing - in terms of compatibility is unknown). Tracking issue: