-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to openssl1.1.1a #25381
Update to openssl1.1.1a #25381
Conversation
@sam-github Thanks for the PR. I could not imagine we can fix an async cipher error and that's a great work. For I'm in a business trip during this week, I'm going to take a detail look at this in later. |
@shigeki Enjoy your trip, I'll make sure you have time to review. ci: https://ci.nodejs.org/job/node-test-commit-linux-containered/9865/ Build and test against openssl 1.1.0 was the failure above. I'll look into it. |
8f1b9bd
to
e70a5e1
Compare
The last build passed on everything except ARM. |
This commit updates option ciphers from 'RC4' to 'missing' in test/parallel/test-tls-handshake-error.js. The motivation for this change is that this test is verifying that a 'no ciphers match' error be thrown, but 'RC4' might be among the ciphers supported by the OpenSSL version when dynamically linking. I ran into this specific issue when dynamically linking against OpenSSL 1.1.1 on RHEL8 using nodejs#25381.
So, been more than a week, green in CI, one approval, I guess I could just land this... but it is a significant enough update I'd like a few more reviews! @nodejs/crypto @shigeki @rvagg @bnoordhuis @indutny 1.1.1 adds some crypto algs and minor features (like zero-length PKCS8 passphrases, @tniessen ), so I'm labelling |
d4bfbfb
to
fda3b55
Compare
Updated against node/master, squashed fixups, started a fresh CI. |
This commit updates option ciphers from 'RC4' to 'no-such-cipher' in test/parallel/test-tls-handshake-error.js. The motivation for this change is that this test is verifying that a 'no ciphers match' error be thrown, but 'RC4' might be among the ciphers supported by the OpenSSL version when dynamically linking. I ran into this specific issue when dynamically linking against OpenSSL 1.1.1 on RHEL8 using #25381. PR-URL: #25534 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sam-github Sorry for my late response. I checked your and my change commits and they are fine but some of my commits are missing commit descriptions.
I made a branch to fill the commit descriptions in https://github.com/shigeki/node/commits/PR25381.
Please rebase this to add the commit descriptions from 8e05aa0, fd5d8cb, 0dd90f3 and 01fcc96.
fd5d8cb is also fixed so as to fix within 50 chars for commit title.
Thanks for making this PR.
@shigeki Thanks for reviewing, I'll go through and rebase and fixup the messages. |
fda3b55
to
572326a
Compare
Added commit bodies from @shigeki, rebased, re-ci. |
|
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were moved to new attributes. Gyp and gypi file generations are needed to be fixed to include them.
Because llvm on MacOS does not support AVX-512, asm files need to be limited to AVX-2 support even when they are generated on Linux. fake_gcc.pl returns the fake llvm banner version for MacOS as if the assembler supports upto AVX-2. For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are rewritten into GNU makefile format by hand.
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules.
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need to be generated for the older assembler support to keep backward compatibilities.
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were moved to new attributes. Gyp and gypi file generations are needed to be fixed to include them. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Because llvm on MacOS does not support AVX-512, asm files need to be limited to AVX-2 support even when they are generated on Linux. fake_gcc.pl returns the fake llvm banner version for MacOS as if the assembler supports upto AVX-2. For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are rewritten into GNU makefile format by hand. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need to be generated for the older assembler support to keep backward compatibilities. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Add new requirements of assembler version for AVX-512 support in OpenSSL-1.1.1. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
AIX has own assembler not GNU as that does not support --noexecstack. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
This gets better coverage of the codes, and is more explicit. It also works around ordering differences in the errors produced by openssl. The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared openssl. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
`cd deps/openssl/config; make` updates all archs dependant files. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
There is a description of how to use s_client for testing of renegotiation limits in the `tls` module documentation. The information is somewhat out of scope, but it also may be somewhat problematic due to changes/peculiarities (bugs?) in recent s_client. Remove the text. Refs: #25381 (comment) PR-URL: #25678 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Backport-PR-URL: nodejs#25688
There is a description of how to use s_client for testing of renegotiation limits in the `tls` module documentation. The information is somewhat out of scope, but it also may be somewhat problematic due to changes/peculiarities (bugs?) in recent s_client. Remove the text. Refs: #25381 (comment) PR-URL: #25678 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Backport-PR-URL: nodejs#25688
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. Backport-PR-URL: #27419 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Backport-PR-URL: #25688
There is a description of how to use s_client for testing of renegotiation limits in the `tls` module documentation. The information is somewhat out of scope, but it also may be somewhat problematic due to changes/peculiarities (bugs?) in recent s_client. Remove the text. Refs: #25381 (comment) PR-URL: #25678 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. Backport-PR-URL: #27419 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Backport-PR-URL: #25688
Notable changes: - deps: - icu 63.1 bump (CLDR 34) (Steven R. Loomis) [#23715](#23715) - upgrade npm to 6.9.0 (Kat Marchán) [#26244](#26244) - upgrade openssl sources to 1.1.1a (Sam Roberts) [#25381](#25381) - upgrade to libuv 1.24.1 (cjihrig) [#25078](#25078) - events: add once method to use promises with EventEmitter (Matteo Collina) [#26078](#26078) - n-api: mark thread-safe function as stable (Gabriel Schulhof) [#25556](#25556) - repl: support top-level for-await-of (Shelley Vohr) [#23841](#23841) - zlib: - add brotli support (Anna Henningsen) [#24938](#24938) PR-URL: #27514
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:openssl_1_1_1.patch Original commit message: Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3 Upstream commits: commit 8dd8033 Author: Shigeki Ohtsu <[email protected]> Date: Wed Sep 12 17:34:24 2018 +0900 tls: workaround handshakedone in renegotiation `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: nodejs#26270 PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> commit 161dca7 Author: Sam Roberts <[email protected]> Date: Wed Nov 28 14:11:18 2018 -0800 tls: re-define max supported version as 1.2 Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658 PR-URL: nodejs#25024 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Partial port, remain compatible with 1.0.2: commit 970ce14 Author: Shigeki Ohtsu <[email protected]> Date: Wed Mar 14 14:26:55 2018 +0900 crypto: remove deperecated methods of TLS version All version-specific methods were deprecated in OpenSSL 1.1.0 and min/max versions explicitly need to be set. This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now. crypto, constants: add constant of OpenSSL-1.1.0 Several constants for OpenSSL-1.1.0 engine were removed and renamed in OpenSSL-1.1.0. This added one renamed constant in order to have a compatible feature with that of OpenSSL-1.0.2. Other missed or new constants in OpenSSL-1.1.0 are not yet added. crypto,tls,constants: remove OpenSSL1.0.2 support This is semver-majar change so that we need not to have compatibilities with older versions. Fixes: nodejs#4270 PR-URL: nodejs#19794 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Signed-off-by: Su Baocheng <[email protected]>
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:openssl_1_1_1.patch Original commit message: Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3 Upstream commits: commit 8dd8033 Author: Shigeki Ohtsu <[email protected]> Date: Wed Sep 12 17:34:24 2018 +0900 tls: workaround handshakedone in renegotiation `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: nodejs#26270 PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> commit 161dca7 Author: Sam Roberts <[email protected]> Date: Wed Nov 28 14:11:18 2018 -0800 tls: re-define max supported version as 1.2 Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: nodejs#24658 PR-URL: nodejs#25024 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Partial port, remain compatible with 1.0.2: commit 970ce14 Author: Shigeki Ohtsu <[email protected]> Date: Wed Mar 14 14:26:55 2018 +0900 crypto: remove deperecated methods of TLS version All version-specific methods were deprecated in OpenSSL 1.1.0 and min/max versions explicitly need to be set. This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now. crypto, constants: add constant of OpenSSL-1.1.0 Several constants for OpenSSL-1.1.0 engine were removed and renamed in OpenSSL-1.1.0. This added one renamed constant in order to have a compatible feature with that of OpenSSL-1.0.2. Other missed or new constants in OpenSSL-1.1.0 are not yet added. crypto,tls,constants: remove OpenSSL1.0.2 support This is semver-majar change so that we need not to have compatibilities with older versions. Fixes: nodejs#4270 PR-URL: nodejs#19794 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Signed-off-by: Su Baocheng <[email protected]>
Most of this work comes from @shigeki, who got openssl 1.1.1 building and running across all Node's platforms.
Last time I tested this branch on ci it passed, and it passes locally.
I've done a fair amount of ABI testing, as well. It looks pretty compatible to me (as OpenSSL intended).
See #18770 (comment) (and around) for more information.
@nodejs/crypto , particularly @rvagg @shigeki
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes