-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: update openssl to OpenSSL 3.0.2 #42356
deps: update openssl to OpenSSL 3.0.2 #42356
Conversation
This updates all sources in deps/openssl/openssl by: $ git clone [email protected]:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit
Last OpenSSL 3 update changes behaviour back to be closer to that of OpenSSL 1.1.1. Remove some instances where we expected different errors from OpenSSL 3 versus OpenSSL 1.1.1. Signed-off-by: Michael Dawson <[email protected]>
@mhdawson @richardlau |
|
This comment was marked as outdated.
This comment was marked as outdated.
Fast-track has been requested by @richardlau. Please 👍 to approve. |
node/doc/contributing/collaborator-guide.md Lines 513 to 514 in a199387
Looking at d37dceb, it looks like tests would not be passing for e06c733 and/or 3361921. Should we add a first commit to disable the failing test (before the OpenSSL update) and re-enable it in a follow up commit? |
This is a tricky one for OpenSSL because as long as I can remember we've always split the OpenSSL updates into two commits, one to update the sources and a second to regen the config files, and the first commit isn't buildable without the second. I've no preference either way regarding the test in the third commit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RSLGTM
I'm currently refreshing the CI machines to update the sharedlibs containers to OpenSSL 3.0.2 to fix the failing linked-openssl300 build. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RSLGTM
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I think we might want to adjust the text saying all commits must pass all tests, for something like an OpenSSL update I see value in them being separate in terms of understanding/being able to recreate. A PR to update the text would be a good place to have that discussion and see if we want to update the OpenSSL patch generation process but that should not be part of getting the security releases out. |
Landed in f4b7f6d...f1b6d87 |
This updates all sources in deps/openssl/openssl by: $ git clone [email protected]:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: #42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit PR-URL: #42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Last OpenSSL 3 update changes behaviour back to be closer to that of OpenSSL 1.1.1. Remove some instances where we expected different errors from OpenSSL 3 versus OpenSSL 1.1.1. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
This updates all sources in deps/openssl/openssl by: $ git clone [email protected]:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: #42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit PR-URL: #42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Last OpenSSL 3 update changes behaviour back to be closer to that of OpenSSL 1.1.1. Remove some instances where we expected different errors from OpenSSL 3 versus OpenSSL 1.1.1. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
This updates all sources in deps/openssl/openssl by: $ git clone [email protected]:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: nodejs#42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit PR-URL: nodejs#42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Last OpenSSL 3 update changes behaviour back to be closer to that of OpenSSL 1.1.1. Remove some instances where we expected different errors from OpenSSL 3 versus OpenSSL 1.1.1. Signed-off-by: Michael Dawson <[email protected]> PR-URL: nodejs#42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Updated openssl dep to openssl-3.0.2+quic using the maintenance guide.
Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html