Skip to content

src: enable compilation/linking with OpenSSL 4.0#62410

Open
panva wants to merge 2 commits intonodejs:mainfrom
panva:openssl4-compat
Open

src: enable compilation/linking with OpenSSL 4.0#62410
panva wants to merge 2 commits intonodejs:mainfrom
panva:openssl4-compat

Conversation

@panva
Copy link
Member

@panva panva commented Mar 23, 2026
edited
Loading

This does look into failing tests caused by removed ciphers or minimum dh levels changing. It updates what are clearly changed openssl error code expectations and makes it so that you can configure linking to openssl-4.0.0-alpha1, make, and end up with a binary.

./out/Release/node -p process.versions.openssl
4.0.0-alpha1

@panva panva requested a review from richardlau March 23, 2026 15:46
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 23, 2026

Review requested:

  • @nodejs/crypto
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. labels Mar 23, 2026
@panva
Copy link
Member Author

panva commented Mar 23, 2026
edited
Loading

Some failures checked locally 
➜  node git:(openssl4-compat) ✗ tools/test.py -j 0 crypto webcrypto tls http https

=== release test-tls-client-mindhsize ===                                     
Path: parallel/test-tls-client-mindhsize
node:events:486
      throw er; // Unhandled 'error' event
      ^

Error [ERR_TLS_DH_PARAM_SIZE]: DH parameter size 2048 is less than 2048
    at TLSSocket.onConnectSecure (node:internal/tls/wrap:1644:17)
    at TLSSocket.emit (node:events:508:20)
    at TLSSocket._finishInit (node:internal/tls/wrap:1097:8)
    at ssl.onhandshakedone (node:internal/tls/wrap:883:12)
Emitted 'error' event on TLSSocket instance at:
    at TLSSocket.onConnectSecure (node:internal/tls/wrap:1646:10)
    at TLSSocket.emit (node:events:508:20)
    at TLSSocket._finishInit (node:internal/tls/wrap:1097:8)
    at ssl.onhandshakedone (node:internal/tls/wrap:883:12) {
  code: 'ERR_TLS_DH_PARAM_SIZE'
}

Node.js v26.0.0-pre
Command: out/Release/node --expose-internals /repo/node/test/parallel/test-tls-client-mindhsize.js


=== release test-tls-client-getephemeralkeyinfo ===                           
Path: parallel/test-tls-client-getephemeralkeyinfo
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:

2048 !== 3072

    at TLSSocket.<anonymous> (/repo/node/test/parallel/test-tls-client-getephemeralkeyinfo.js:63:14)
    at TLSSocket.<anonymous> (/repo/node/test/common/index.js:507:15)
    at Object.onceWrapper (node:events:622:28)
    at TLSSocket.emit (node:events:520:22)
    at TLSSocket.onConnectSecure (node:internal/tls/wrap:1688:8)
    at TLSSocket.emit (node:events:508:20)
    at TLSSocket._finishInit (node:internal/tls/wrap:1097:8)
    at ssl.onhandshakedone (node:internal/tls/wrap:883:12) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 2048,
  expected: 3072,
  operator: 'strictEqual',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-client-getephemeralkeyinfo.js


=== release test-tls-client-auth ===                                          
Path: parallel/test-tls-client-auth
(node:70954) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE'
- 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE'
           ^

    at /repo/node/test/parallel/test-tls-client-auth.js:87:10
    at /repo/node/test/common/index.js:507:15
    at /repo/node/test/common/index.js:507:15
    at maybeCallback (/repo/node/test/fixtures/tls-connect.js:97:7)
    at TLSSocket.<anonymous> (/repo/node/test/fixtures/tls-connect.js:73:13)
    at TLSSocket.emit (node:events:508:20)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE',
  expected: 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE',
  operator: 'strictEqual',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-client-auth.js


=== release test-tls-dhe ===                                              
Path: parallel/test-tls-dhe
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: The expression evaluated to a falsy value:

  assert(stdout.includes(`Cipher    : ${expectedCipher}`))

    at /repo/node/test/parallel/test-tls-dhe.js:92:7
    at /repo/node/test/common/index.js:472:17
    at /repo/node/test/common/index.js:507:15
    at ChildProcess.exithandler (node:child_process:410:7)
    at ChildProcess.emit (node:events:508:20)
    at maybeClose (node:internal/child_process:1108:16)
    at Socket.<anonymous> (node:internal/child_process:480:11)
    at Socket.emit (node:events:508:20)
    at Pipe.<anonymous> (node:net:350:12) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: false,
  expected: true,
  operator: '==',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node --no-warnings --expose-internals /repo/node/test/parallel/test-tls-dhe.js


=== release test-tls-ecdh-multiple ===                       
Path: parallel/test-tls-ecdh-multiple
node:internal/tls/secure-context:252
  context.setECDHCurve(ecdhCurve);
          ^

Error: Failed to set ECDH curve
    at configSecureContext (node:internal/tls/secure-context:252:11)
    at Object.createSecureContext (node:internal/tls/common:114:3)
    at Server.setSecureContext (node:internal/tls/wrap:1510:27)
    at new Server (node:internal/tls/wrap:1374:8)
    at Object.createServer (node:internal/tls/wrap:1409:10)
    at Object.<anonymous> (/repo/node/test/parallel/test-tls-ecdh-multiple.js:37:20)
    at Module._compile (node:internal/modules/cjs/loader:1829:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1969:10)
    at Module.load (node:internal/modules/cjs/loader:1552:32)
    at Module._load (node:internal/modules/cjs/loader:1354:12) {
  code: 'ERR_CRYPTO_OPERATION_FAILED'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-ecdh-multiple.js


=== release test-tls-empty-sni-context ===                           
Path: parallel/test-tls-empty-sni-context
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE'
- 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE'
           ^

    at TLSSocket.<anonymous> (/repo/node/test/parallel/test-tls-empty-sni-context.js:31:12)
    at TLSSocket.<anonymous> (/repo/node/test/common/index.js:507:15)
    at TLSSocket.emit (node:events:508:20)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE',
  expected: 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE',
  operator: 'strictEqual',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-empty-sni-context.js


=== release test-tls-error-stack ===                        
Path: parallel/test-tls-error-stack
node:assert:573
    throw err;
    ^

AssertionError [ERR_ASSERTION]: The validation function is expected to return "true". Received false

Caught error:

Error [ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED]: Custom engines not supported by this OpenSSL
    at Object.<anonymous> (/repo/node/test/parallel/test-tls-error-stack.js:11:8)
    at Module._compile (node:internal/modules/cjs/loader:1829:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1969:10)
    at Module.load (node:internal/modules/cjs/loader:1552:32)
    at Module._load (node:internal/modules/cjs/loader:1354:12)
    at wrapModuleLoad (node:internal/modules/cjs/loader:255:19)
    at Module.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:154:5)
    at node:internal/main/run_main_module:33:47 {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: Error [ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED]: Custom engines not supported by this OpenSSL
      at configSecureContext (node:internal/tls/secure-context:298:13)
      at Object.createSecureContext (node:internal/tls/common:114:3)
      at /repo/node/test/parallel/test-tls-error-stack.js:12:7
      at getActual (node:assert:580:5)
      at assert.throws (node:assert:728:24)
      at Object.<anonymous> (/repo/node/test/parallel/test-tls-error-stack.js:11:8)
      at Module._compile (node:internal/modules/cjs/loader:1829:14)
      at Module._extensions..js (node:internal/modules/cjs/loader:1969:10)
      at Module.load (node:internal/modules/cjs/loader:1552:32)
      at Module._load (node:internal/modules/cjs/loader:1354:12) {
    code: 'ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED'
  },
  expected: [Function (anonymous)],
  operator: 'throws',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-error-stack.js


=== release test-tls-ocsp-callback ===                                        
Path: parallel/test-tls-ocsp-callback
/repo/node/test/parallel/test-tls-ocsp-callback.js:93
        assert.strictEqual(resp.toString(), testOptions.response);
                                ^

TypeError: Cannot read properties of null (reading 'toString')
    at TLSSocket.<anonymous> (/repo/node/test/parallel/test-tls-ocsp-callback.js:93:33)
    at TLSSocket.<anonymous> (/repo/node/test/common/index.js:507:15)
    at TLSSocket.emit (node:events:508:20)
    at TLSWrap.onocspresponse (node:internal/tls/wrap:459:22)

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-ocsp-callback.js


=== release test-tls-psk-circuit ===                                          
Path: parallel/test-tls-psk-circuit
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE'
- 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE'
           ^

    at TLSSocket.<anonymous> (/repo/node/test/parallel/test-tls-psk-circuit.js:54:16)
    at TLSSocket.<anonymous> (/repo/node/test/common/index.js:507:15)
    at TLSSocket.emit (node:events:508:20)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE',
  expected: 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE',
  operator: 'strictEqual',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-psk-circuit.js


=== release test-tls-set-ciphers-error ===                                    
Path: parallel/test-tls-set-ciphers-error
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: Missing expected exception.
    at Object.<anonymous> (/repo/node/test/parallel/test-tls-set-ciphers-error.js:17:10)
    at Module._compile (node:internal/modules/cjs/loader:1829:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1969:10)
    at Module.load (node:internal/modules/cjs/loader:1552:32)
    at Module._load (node:internal/modules/cjs/loader:1354:12)
    at wrapModuleLoad (node:internal/modules/cjs/loader:255:19)
    at Module.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:154:5)
    at node:internal/main/run_main_module:33:47 {
  generatedMessage: false,
  code: 'ERR_ASSERTION',
  actual: undefined,
  expected: /no[_ ]cipher[_ ]match/i,
  operator: 'throws',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-set-ciphers-error.js


=== release test-tls-set-ciphers ===                                          
Path: parallel/test-tls-set-ciphers
test: AES256-SHA 9 expect U U ERR_INVALID_ARG_TYPE
   (/repo/node/test/parallel/test-tls-set-ciphers.js:140:1)
client undefined
server ERR_INVALID_ARG_TYPE
test: AES256-SHA : expect U U ERR_INVALID_ARG_VALUE
   (/repo/node/test/parallel/test-tls-set-ciphers.js:142:1)
client undefined
server ERR_INVALID_ARG_VALUE
test: 9 AES256-SHA expect U ERR_INVALID_ARG_TYPE U
   (/repo/node/test/parallel/test-tls-set-ciphers.js:139:1)
client ERR_INVALID_ARG_TYPE
server undefined
test: : AES256-SHA expect U ERR_INVALID_ARG_VALUE U
   (/repo/node/test/parallel/test-tls-set-ciphers.js:141:1)
client ERR_INVALID_ARG_VALUE
server undefined
test: AES256-SHA AES256-SHA256 expect U ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE ERR_SSL_NO_SHARED_CIPHER
   (/repo/node/test/parallel/test-tls-set-ciphers.js:109:1)
client ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE
server ERR_SSL_NO_SHARED_CIPHER
(node:71167) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE'
- 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE'
           ^

    at /repo/node/test/parallel/test-tls-set-ciphers.js:62:16
    at /repo/node/test/common/index.js:507:15
    at /repo/node/test/common/index.js:507:15
    at maybeCallback (/repo/node/test/fixtures/tls-connect.js:97:7)
    at TLSSocket.<anonymous> (/repo/node/test/fixtures/tls-connect.js:73:13)
    at TLSSocket.emit (node:events:508:20)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE',
  expected: 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE',
  operator: 'strictEqual',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-set-ciphers.js


=== release test-tls-set-sigalgs ===                                          
Path: parallel/test-tls-set-sigalgs
(node:71309) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
node:internal/assert/utils:146
  throw error;
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE'
- 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE'
           ^

    at /repo/node/test/parallel/test-tls-set-sigalgs.js:54:16
    at /repo/node/test/common/index.js:507:15
    at /repo/node/test/common/index.js:507:15
    at maybeCallback (/repo/node/test/fixtures/tls-connect.js:97:7)
    at TLSSocket.<anonymous> (/repo/node/test/fixtures/tls-connect.js:73:13)
    at TLSSocket.emit (node:events:508:20)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 'ERR_SSL_TLS_ALERT_HANDSHAKE_FAILURE',
  expected: 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE',
  operator: 'strictEqual',
  diff: 'simple'
}

Node.js v26.0.0-pre
Command: out/Release/node /repo/node/test/parallel/test-tls-set-sigalgs.js




Failed tests:
out/Release/node --expose-internals /repo/node/test/parallel/test-tls-client-mindhsize.js
out/Release/node /repo/node/test/parallel/test-tls-client-getephemeralkeyinfo.js
out/Release/node /repo/node/test/parallel/test-tls-client-auth.js
out/Release/node --no-warnings --expose-internals /repo/node/test/parallel/test-tls-dhe.js
out/Release/node /repo/node/test/parallel/test-tls-ecdh-multiple.js
out/Release/node /repo/node/test/parallel/test-tls-empty-sni-context.js
out/Release/node /repo/node/test/parallel/test-tls-error-stack.js
out/Release/node /repo/node/test/parallel/test-tls-ocsp-callback.js
out/Release/node /repo/node/test/parallel/test-tls-psk-circuit.js
out/Release/node /repo/node/test/parallel/test-tls-set-ciphers-error.js
out/Release/node /repo/node/test/parallel/test-tls-set-ciphers.js
out/Release/node /repo/node/test/parallel/test-tls-set-sigalgs.js

@panva panva marked this pull request as ready for review March 23, 2026 15:50
@panva panva added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 23, 2026
@panva
Copy link
Member Author

panva commented Mar 23, 2026

Let's see what CI will have to say about backwards compat.

@panva panva removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 23, 2026
@codecov
Copy link

codecov bot commented Mar 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.69%. Comparing base (8199f9c) to head (26b1939).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62410      +/-   ##
==========================================
- Coverage   89.69%   89.69%   -0.01%     
==========================================
  Files         676      676              
  Lines      206693   206710      +17     
  Branches    39577    39583       +6     
==========================================
+ Hits       185402   185406       +4     
- Misses      13435    13441       +6     
- Partials     7856     7863       +7

see 35 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anonrig anonrig anonrig approved these changes

@tniessen tniessen tniessen approved these changes

@richardlau richardlau richardlau approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. request-ci Add this label to start a Jenkins CI on a PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@panva @nodejs-github-bot @anonrig @tniessen @richardlau