FS#73268 - [nodejs] 17.3.0 is built with OpenSSL 1.1 and prevents binary packages from working

Attached to Project: Community Packages
Opened by Momtchil Momtchev (mmomtchev) - Wednesday, 05 January 2022, 18:35 GMT
Last edited by Toolybird (Toolybird) - Tuesday, 31 January 2023, 04:50 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Node.js 17.3.0 as included in Archlinux is a Frankenstein version, built against a shared version of OpenSSL 1.1

Normally, Node.js 17 should use OpenSSL 3.0 included as a static library

Why is it such a big deal if it works?

Because binary (native in Node lingo) modules come with prebuilt binaries for each Node ABI. Those built for Node 17 are built against the included OpenSSL 3 and won't work on ArchLinux.


Steps to reproduce:

Try to install a prebuilt native module which uses OpenSSL - I am the author of gdal-async (npm i gdal-async) and if you run the network unit tests you will get an unresolved symbol - SSL_CTX_load_verify_file - which does not exist in 1.1

Generally, my advice is to not distribute binary Node versions which are built in a substantially different way than the Nodesource distribution which should probably be your baseline.

Or maybe ask the core developers for an advice on that matter.
This task depends upon

Closed by  Toolybird (Toolybird)
Tuesday, 31 January 2023, 04:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  Reporter says "Upgrading to OpenSSL 3 resolves this issue"
Comment by Momtchil Momtchev (mmomtchev) - Wednesday, 05 January 2022, 18:57 GMT
I have opened an issue in Node.js asking this question: https://github.com/nodejs/node/issues/41410
Comment by Momtchil Momtchev (mmomtchev) - Thursday, 06 January 2022, 12:42 GMT
Please, refer to https://github.com/nodejs/node/issues/41410#issuecomment-1006005145

If you want to continue building Node.js 17 with a shared version of OpenSSL 1.1.1m, you should request to be assigned an ABI identification number, so that native modules can identify this Node.js and eventually provide pre-built binaries for it.
Comment by Momtchil Momtchev (mmomtchev) - Tuesday, 11 January 2022, 13:23 GMT
Following the discussion in the Node.js issue, Node.js' core team position is that Node.js can be compiled with both OpenSSL 1.1 and OpenSSL 3.0 without breaking the ABI
Comment by Felix Yan (felixonmars) - Saturday, 28 January 2023, 09:55 GMT
As Arch has caught up with OpenSSL 3 and our nodejs package is built with it, I assume there's no more issue now?

Loading...