deps: fix OpenSSL security level at 1

richardlau · richardlau · commit 24762a10ca9b · 2025-09-16T13:57:54.000Z
Node.js 22 was released with OpenSSL 3.0 which had a default security level of 1. OpenSSL 3.2 bumped this to 2, but we need to fix this at 1 to minimize disruption to users of Node.js 22.x. PR-URL: #59859 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
@@ -26,6 +26,7 @@
         # is able to create a malicious DLL in one of the default search paths.
         'OPENSSL_NO_HW',
         'OPENSSL_API_COMPAT=0x10100001L',
+        'OPENSSL_TLS_SECURITY_LEVEL=1',
         'STATIC_LEGACY',
         #'OPENSSL_NO_DEPRECATED',
       ],
@@ -62,6 +63,7 @@
       'include_dirs+': ['openssl/apps/include'],
       'defines': [
         'OPENSSL_API_COMPAT=0x10100001L',
+        'OPENSSL_TLS_SECURITY_LEVEL=1',
         #'OPENSSL_NO_DEPRECATED',
       ],
       'conditions': [
diff --git a/node.gypi b/node.gypi
@@ -380,7 +380,10 @@
       'defines': [ 'HAVE_OPENSSL=1' ],
       'conditions': [
         [ 'node_shared_openssl=="false"', {
-          'defines': [ 'OPENSSL_API_COMPAT=0x10100000L', ],
+          'defines': [
+            'OPENSSL_API_COMPAT=0x10100000L',
+            'OPENSSL_TLS_SECURITY_LEVEL=1',
+          ],
           'dependencies': [
             './deps/openssl/openssl.gyp:openssl',
 
diff --git a/test/parallel/test-openssl-default-seclevel.js b/test/parallel/test-openssl-default-seclevel.js
@@ -0,0 +1,16 @@
+// Flags: --expose-internals
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+if (process.config.variables.node_shared_openssl)
+  common.skip('not applicable when dynamically linked to OpenSSL');
+
+const secLevel = require('internal/crypto/util').getOpenSSLSecLevel();
+const assert = require('assert');
+
+// Node.js 22 was released with OpenSSL 3.0 which had a default security
+// level of 1. OpenSSL 3.2 bumped this to 2, but we need to fix this at
+// 1 to minimize disruption to users of Node.js 22.x.
+assert.strictEqual(secLevel, 1);
