[v22.x] Update to OpenSSL 3.5 #59859
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Node.js 22 was released with OpenSSL 3.0 which had a default security level of 1. OpenSSL 3.2 bumped this to 2, but we need to fix this at 1 to minimize disruption to users of Node.js 22.x.
PR-URL: nodejs#59234 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
PR-URL: nodejs#59234 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
PR-URL: nodejs#59371 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: nodejs#59371 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
richardlau
added
openssl
|
Review requested:
|
nodejs-github-bot
added
dependencies
targos
approved these changes
Sep 11, 2025
panva
approved these changes
Sep 11, 2025
BridgeAR
approved these changes
Sep 11, 2025
marco-ippolito
approved these changes
Sep 11, 2025
|
@richardlau can we also backport it to v20? |
This comment was marked as outdated.
This comment was marked as outdated.
panva
added
the
commit-queue-rebase
This comment was marked as outdated.
This comment was marked as outdated.
I wasn't planning to as Node.js 20 will go End-of-Life before OpenSSL 3.0 does. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
4 tasks
richardlau
added a commit
that referenced
this pull request
Sep 16, 2025
Node.js 22 was released with OpenSSL 3.0 which had a default security level of 1. OpenSSL 3.2 bumped this to 2, but we need to fix this at 1 to minimize disruption to users of Node.js 22.x. PR-URL: #59859 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
richardlau
pushed a commit
that referenced
this pull request
Sep 16, 2025
PR-URL: #59234 Backport-PR-URL: #59859 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
richardlau
pushed a commit
that referenced
this pull request
Sep 16, 2025
PR-URL: #59234 Backport-PR-URL: #59859 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
richardlau
pushed a commit
that referenced
this pull request
Sep 16, 2025
PR-URL: #59371 Backport-PR-URL: #59859 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
richardlau
pushed a commit
that referenced
this pull request
Sep 16, 2025
PR-URL: #59371 Backport-PR-URL: #59859 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
|
Landed in b8870c4...98e399b |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an explicit backport to
v22.x-stagingof the OpenSSL 3.5 PRs:These all cherry-pick cleanly, but they are explicitly backported here for visibility.
Updating OpenSSL in Node.js 22.x is necessary for us to continue to support Node.js 22.x through to the planned End-of-Life date of 30 April 2027 as OpenSSL 3.0 goes out of support in September 2026.
The first commit is new and addresses concerns in #59715 by fixing the default security level to 1 to minimize disruption when updating to a newer version of Node.js 22 containing the OpenSSL 3.5 updates.
cc @nodejs/crypto @nodejs/releasers