Node.js 11.x has been updated to OpenSSL 1.1.1a from 1.1.0 (read more), and an update in Node.js 10.x is expected soon. Why did we move forward with this change? It was important to pull in OpenSSL 1.1.1. because without an update of OpenSSL in Node.js 10.x, it would be difficult to stick to the standard long-term support (LTS) lifecycle with 30 months of support.
This blog post discusses the unusual situation we are in with respect to conflicting OpenSSL and Node.js LTS policies, and how we plan to resolve it.
Node.js depends on some major projects, such as V8 and OpenSSL. These projects have their own maintenance and release schedules, particularly with respect to LTS support. The Node.js project can’t take on support for all its dependencies. This means we need to depend on the support provided by the communities building those dependencies. In turn, this sets some limits on what we can do.
The OpenSSL policy states that:
- OpenSSL 1.0.2 will be end-of-life after 2019-12-31.
- OpenSSL 1.1.0 will be end-of-life after 2019-09-11.
OpenSSL 1.0.2 is supported longer than OpenSSL 1.1.0 because it was designated an LTS release, and got 5 years of support.
The Node.js policy states that:
- Node.js 6.x will be end-of-life after 2019-04-31.
- Node.js 8.x will be end-of-life after 2019-12-31.
- Node.js 10.x will be end-of-life after 2021-04-31.
- Node.js 12.x will be end-of-life after 2022-04-31.
The versions of OpenSSL in the LTS branches are currently:
- Node.js 6.17.0 – OpenSSL 1.0.2r
- Node.js 8.15.1 – OpenSSL 1.0.2r
- Node.js 10.15.3 – OpenSSL 1.1.0j
Our plan for Node 8.x and Node 10.x
You can see that the end-of-life date for Node.js 8.x is unusual. It would normally have been end-of-life on 2020-04-31, but we had to cut that short because OpenSSL 1.0.2 will not be supported that long. We only cut it short by four months, so we hope it has a limited impact on the community.
You can also see that Node.js 10.x is supposed to be end-of-life on 2021-04-31, but it uses OpenSSL 1.1.0 which is end-of-life on 2019-09-11. This is a year and a half earlier than we want, much more serious than the situation with Node.js 8.x.
Don’t worry; we have a plan.
While it isn’t listed above, OpenSSL 1.1.1 is expected to be designated an LTS release before the end of 2019, which will mean it will get 5 years of support. It is also both API and ABI compatible with OpenSSL 1.1.0. Our plan is to upgrade Node.js 10.x from OpenSSL 1.1.0 to 1.1.1. The expected release date for this is the 2019-04 semver-minor update to Node.js 10.x.
We wouldn’t normally make such a major update to an important dependency like OpenSSL during an LTS period, but we don’t have much choice in this case. It’s the best option for both our consumers and the Node.js project itself.
OpenSSL 1.1.1 was updated in Node.js 11.9.0, well into the 11.x lifetime, and we have so far had no reports of issues. This makes us confident that the update in 10.x will also go mostly unnoticed.
OpenSSL 1.1.1’s strategic importance
The LTS policy isn’t the only reason that OpenSSL 1.1.1 is strategically important. There are a number of other reasons, including:
- It will allow TLS1.3 to be supported. We’re going to post about that soon, but see the TLS1.3 support pull request to follow along with the work.
- It will provide a path for FIPS support. OpenSSL has FIPS support for 1.1.1 in their roadmap and are predicting its release some time by the end of 2019.
Getting OpenSSL 1.1.1 landed was a lot of work, but it was quite interesting and was a good way to ramp up on the integration of OpenSSL in Node.js. I’m looking forward to helping out more on the OpenSSL front in the Node.js project going forward.