diff --git a/OpenSSL-Strategy.md b/OpenSSL-Strategy.md index 45f56b64..9481a34e 100644 --- a/OpenSSL-Strategy.md +++ b/OpenSSL-Strategy.md @@ -151,15 +151,10 @@ of 15.x (which is only about 8 months), that experimental support for OpenSSL * Default minimum TLS version is TLSv1.2, default maximum is TLSv1.3. TLSv1 and TLSv1.1 are _not_ supported by default, only by explicit run-time configuration. -* FIPS: unpredictable, see below OpenSSL 1.1.1 goes EOL on 2023-09-11, which is before 16.x will go EOL, so is not an appropriate choice for 16.x -OpenSSL 3.x may have FIPS support by release date of Node.js 16.x, or it may -not. If it does not, since its a provider, it may be possible to support in -a `semver-minor` (ABI, API, and behavioural compatible) update to 16.x. - For minimal disruption, it would probably be helpful if Node.js supported building against OpenSSL 1.1.1 out-of-tree, even if OpenSSL 3.x was in-tree. @@ -168,18 +163,6 @@ The plan described above is to: * Once OpenSSL has been updated with support for the QUIC protocol replace the temporary quictls/openssl depencency with it. -Challenges are: - -1. OpenSSL 3.x moved many algorithms into a legacy library, that is only - accessible as a dynamically loaded provider, so cannot ship with Node.js -2. Node.js has a build system wrapped around OpenSSL 1.1.1, it is currently - incompatible with the OpenSSL 3.x build system (effort to fix this is - unknown). -3. OpenSSL 3.x has compile-time warning-deprecated a number of OpenSSL 1.1.1 - APIs, but the alternatives to those deprecated APIs do not exist in OpenSSL - 1.1.1. So, Node.js 16.x either needs to ship calling deprecated APIs, or - break compatibility with OpenSSL 1.1.1 (so it will _only build with 3.x_). - Tracking issue: ## Background