[v22.x] Update to OpenSSL 3.5#59859
Closed
richardlau wants to merge 5 commits intonodejs:v22.x-stagingnodejs/node:v22.x-stagingfrom
Closed
[v22.x] Update to OpenSSL 3.5#59859richardlau wants to merge 5 commits intonodejs:v22.x-stagingnodejs/node:v22.x-stagingfrom
richardlau wants to merge 5 commits intonodejs:v22.x-stagingnodejs/node:v22.x-stagingfrom
Conversation
Node.js 22 was released with OpenSSL 3.0 which had a default security level of 1. OpenSSL 3.2 bumped this to 2, but we need to fix this at 1 to minimize disruption to users of Node.js 22.x.
PR-URL: nodejs#59234 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: nodejs#59234 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: nodejs#59371 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: nodejs#59371 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Collaborator
|
Review requested:
|
Collaborator
targos
approved these changes
Sep 11, 2025
panva
approved these changes
Sep 11, 2025
BridgeAR
approved these changes
Sep 11, 2025
marco-ippolito
approved these changes
Sep 11, 2025
Member
|
@richardlau can we also backport it to v20? |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Member
Author
I wasn't planning to as Node.js 20 will go End-of-Life before OpenSSL 3.0 does. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Collaborator
4 tasks
richardlau
added a commit
that referenced
this pull request
Sep 16, 2025
Node.js 22 was released with OpenSSL 3.0 which had a default security level of 1. OpenSSL 3.2 bumped this to 2, but we need to fix this at 1 to minimize disruption to users of Node.js 22.x. PR-URL: #59859 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
richardlau
pushed a commit
that referenced
this pull request
Sep 16, 2025
PR-URL: #59234 Backport-PR-URL: #59859 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
richardlau
pushed a commit
that referenced
this pull request
Sep 16, 2025
PR-URL: #59234 Backport-PR-URL: #59859 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Member
Author
|
Landed in b8870c4...98e399b |
richardlau
pushed a commit
that referenced
this pull request
Sep 22, 2025
Notable changes: crypto: * update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571 deps: * fix OpenSSL security level at 1 (Richard Lau) #59859 * upgrade openssl sources to openssl-3.5.2 (Node.js GitHub Bot) #59371 doc: * stabilize --disable-sigusr1 (Rafael Gonzaga) #59707 * mark `path.matchesGlob` as stable (Aviv Keller) #59572 http: * (SEMVER-MINOR) add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315 http2: * (SEMVER-MINOR) add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455 inspector: * add http2 tracking support (Darshan Sen) #59611 sea: * (SEMVER-MINOR) implement execArgvExtension (Joyee Cheung) #59560 * (SEMVER-MINOR) support execArgv in sea config (Joyee Cheung) #59314 stream: * (SEMVER-MINOR) add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464 test_runner: * (SEMVER-MINOR) support object property mocking (Idan Goshen) #58438 worker: * (SEMVER-MINOR) add cpu profile APIs for worker (theanarkh) #59428 PR-URL: #59973
richardlau
pushed a commit
that referenced
this pull request
Sep 24, 2025
Notable changes: crypto: * update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571 deps: * fix OpenSSL security level at 1 (Richard Lau) #59859 * upgrade openssl sources to openssl-3.5.2 (Node.js GitHub Bot) #59371 doc: * stabilize --disable-sigusr1 (Rafael Gonzaga) #59707 * mark `path.matchesGlob` as stable (Aviv Keller) #59572 http: * (SEMVER-MINOR) add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315 http2: * (SEMVER-MINOR) add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455 inspector: * add http2 tracking support (Darshan Sen) #59611 sea: * (SEMVER-MINOR) implement execArgvExtension (Joyee Cheung) #59560 * (SEMVER-MINOR) support execArgv in sea config (Joyee Cheung) #59314 stream: * (SEMVER-MINOR) add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464 test_runner: * (SEMVER-MINOR) support object property mocking (Idan Goshen) #58438 worker: * (SEMVER-MINOR) add cpu profile APIs for worker (theanarkh) #59428 PR-URL: #59973
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an explicit backport to
v22.x-stagingof the OpenSSL 3.5 PRs:These all cherry-pick cleanly, but they are explicitly backported here for visibility.
Updating OpenSSL in Node.js 22.x is necessary for us to continue to support Node.js 22.x through to the planned End-of-Life date of 30 April 2027 as OpenSSL 3.0 goes out of support in September 2026.
The first commit is new and addresses concerns in #59715 by fixing the default security level to 1 to minimize disruption when updating to a newer version of Node.js 22 containing the OpenSSL 3.5 updates.
cc @nodejs/crypto @nodejs/releasers