-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2024-11-12, Version 18.20.5 'Hydrogen' (LTS) #55768
Conversation
Refs: #53212 (comment) PR-URL: #53233 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
Headers in nodejs can be arrays and current workaround for content-disposition header do not take this into account. This change fixes that and makes sure array values are handled properly. PR-URL: #50977 Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
Starting from OpenSSL 3.0.14, 3.1.6, 3.2.2, and 3.3.1, OpenSSL was fixed to return an error reason string for bad/unknown application protocols. Update tests to handle both the old `ECONNRESET` error on older versions of OpenSSL and the new `ERR_SSL_TLSV1_ALERT_NO_APPLICATION_PROTOCOL` on newer versions of OpenSSL. Refs: openssl/openssl#24338 PR-URL: #53373 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Previously the test assumes that when the queued finalizer is run, it must be run at a point where env->can_call_into_js() is false (typically, during Environment shutdown), which is not certain. If GC kicks in early and the second pass finalizer is queued before the event loop runs the check callbacks, the finalizer would then be called in check callbacks (via native immediates), where the finalizer can still call into JS. Essentially, addons can't make assumptions about where the queued finalizer would be called. This patch updates the assertions in the test to account for that. PR-URL: #51898 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
Report the version of OpenSSL that Node.js is running with instead of the version of OpenSSL that Node.js was compiled against. PR-URL: #53456 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Update the following TLS tests to account for error code changes in OpenSSL 3.2 and later. - `parallel/test-tls-empty-sni-context` - `parallel/test-tls-psk-circuit` PR-URL: #53384 Refs: #53382 Refs: openssl/openssl#19950 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Mohammed Keyvanzadeh <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
Update `common.hasOpenSSL3*` to check against the run-time version of OpenSSL instead of the version of OpenSSL that Node.js was compiled against. Add a generalized `common.hasOpenSSL()` so we do not need to keep adding new checks for each new major/minor of OpenSSL. PR-URL: #53456 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Update tests to allow for a slight change to the TLS trace messages starting from OpenSSL 3.2. Refs: openssl/openssl@45aac10 PR-URL: #53229 Reviewed-By: Tim Perry <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
Use `asset.strictEqual()` and `asset.deepStrictEqual()` in `test/parallel/test-tls-set-sigalgs.js`. PR-URL: #54208 Reviewed-By: Jake Yuesong Li <[email protected]> Reviewed-By: Daeyeon Jeong <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
Refs: #53382 Refs: #53384 Same change as in 53384 where OpenSSL32 returns a slightly different error but for a different test. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54610 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Update `parallel/test-tls-set-sigalgs` to account for error code changes in OpenSSL 3.2 and later. PR-URL: #54612 Refs: #53384 Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
Refs: #44498 Refs: #53382 Key sizes were increased to 2048 in PR 44498 including the configuration file for the generation of ca2-cert.pem. However, it seems like updating ca2-cert.pem and related files themselves were missed as they were not updated in the PR and the ca2-cert.pem reported as being associated with a 1024 bit key. I believe that was the cause of some of the failures mentioned in #53382 as OpenSSL 3.2 increased the default security level from 1 to 2 and that would mean that certificates associated with keys of 1024 bits would no longer be accepted. This PR updates the key size for ca2-cert.pem. It was not necessary to change the config, only run the generation for the ca2-cert.pem and related files. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54599 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]>
Refs: #53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Create larter 3072 dh key needed for testing and adjust tests to use it for builds with OpenSSL32 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54739 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
Refs: #53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Adjust test to use larger 3072 key instead of 1024 when OpenSSL32 is present. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54903 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]>
Refs: #53382 Looks like test is forcing an error through bad data and the error code we get is different for OpenSSL32. Adjust test to cope with the variation across versions. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54909 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]>
Refs: #53382 OpenSSL32 returns different error text. Looking through the test it seems like the expected error text has been adjusted for different OpenSSL versions in the past and what the test is testing is not related to the error being returned. Update test to allow for error returned by OpenSSL32 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54926 Refs: #53382 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
fixes: #52097 PR-URL: #52340 Fixes: #52097 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Fixes: #53742 PR-URL: #53774 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Refs: #53382 This test fails on OpenSSL32 because it complains the key being used is too short. It seems to have been missed when the test suite was udpated to have a Makefile to generate key material as the keys are hard coded in the test as opposed to being read in from the fixtures/key directory. Update the test to use keys/certs from the fixtures directory and to remove newlines at the end of the key and cert to retain the inteded test. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54968 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Refs: #53382 This test fails on OpenSSL32 because it complains the key being used is too short. Adjust the key sizes so that they will pass on OpenSSL32 in addition to other OpenSSL3 versions. Since the keys are not public key related I don't think the increase in key size will be too bad in terms of performance so I've just increased versus guarding for OpenSSL32 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54972 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Refs: #54968 Refs: #53382 Add additional asserts as suggestd by Richard in: #54968 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #54997 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Refs: #53382 The test failed as it was using AES128 which is not supported in OpenSSL32 due to default security level and because some error messages have changed. Adjusted to use AES256 where it made sense and not run tests on OpenSSL32 where test was specific to AES128. Adjust to use the expected error messages based on version. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #55016 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: James M Snell <[email protected]>
Refs: #53382 OpenSSL32 does not support AES128 and DH 1024 to update test to use newer algorithms. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #55030 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]>
As per the original pull request that introduced the OpenSSL version check in `parallel/test-crypto-dh`: ``` Error message change is test-only and uses the right error message for versions >=3.0.12 in 3.0.x and >= 3.1.4 in 3.1.x series. ``` Fix the check so that: - The older message is expected for OpenSSL 3.1.0. - The newer message is expected for OpenSSL from 3.1.4 (e.g. 3.2.x). Refs: #50395 PR-URL: #53503 Refs: #53382 Reviewed-By: Luigi Pinca <[email protected]>
Refs: #53382 TLS spec seems to indicate there should should be a response sent when TLS handshake fails. See https://datatracker.ietf.org/doc/html/rfc8446#page-85 When compiled with OpenSSL32 we see the the following response '15 03 03 00 02 02 16' which decodes as a fatal (0x02) TLS error alert number 22 (0x16). which corresponds to TLS1_AD_RECORD_OVERFLOW which matches the error we see if NODE_DEBUG is turned on once you get through the define aliases. If there is a response from the server the test used to hang because the end event will not be emitted until after the response is consumed. This PR fixes the test so it consumes the response. Some earlier OpenSSL versions did not seem to send a response but the error handling seems to have been re-written/improved in OpenSSL32. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #55089 Refs: #52482 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Jithil P Ponnan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #54038 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Mohammed Keyvanzadeh <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #52878 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michaël Zasso <[email protected]>
PR-URL: #55349 Refs: nodejs/Release#999 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Richard Lau <[email protected]>
PR-URL: #50380 Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
PR-URL: #50380 Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
😡 https://ci.nodejs.org/job/node-test-commit-linuxone/nodes=rhel9-s390x/46737/console 21:37:43 Error: connect ENETUNREACH 2606:50c0:8003::154:443
21:37:43 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1555:16) {
21:37:43 errno: -101,
21:37:43 code: 'ENETUNREACH',
21:37:43 syscall: 'connect',
21:37:43 address: '2606:50c0:8003::154',
21:37:43 port: 443
21:37:43 } is almost certainly nodejs/build#3950 which annoyingly was not happening on the |
I've extended nodejs/build#3952 to the rhel9-s390x machines. |
I'm not sure what went wrong and I don't care but the author of this change e9e3306426 is me. |
My bad! I have honestly no idea how it happened |
Notable changes: esm: * mark import attributes and JSON module as stable (Nicolò Ribaudo) nodejs#55333 PR-URL: nodejs#55768
c2e6a8f215
] - benchmark: fix napi/ref addon (Michaël Zasso) #532334c2e07aaac
] - build: pin doc workflow to Node.js 20 (Richard Lau) #557556ba4ebd060
] - build: fix build with Python 3.12 (Luigi Pinca) #50582c50f01399e
] - crypto: ensure invalid SubtleCrypto JWK data import results in DataError (Filip Skokan) #550415c46782137
] - crypto: make deriveBits length parameter optional and nullable (Filip Skokan) #536016e7274fa53
] - crypto: reject dh,x25519,x448 in {Sign,Verify}Final (Huáng Jùnliàng) #53774d2442044db
] - crypto: reject Ed25519/Ed448 in Sign/Verify prototypes (Filip Skokan) #5234093670de499
] - deps: upgrade npm to 10.8.2 (npm team) #537998531c95587
] - deps: upgrade npm to 10.8.1 (npm team) #53207fd9933ea0f
] - deps: upgrade npm to 10.8.0 (npm team) #5301403852495d7
] - deps: update simdutf to 5.6.0 (Node.js GitHub Bot) #553793597be4146
] - deps: update simdutf to 5.5.0 (Node.js GitHub Bot) #5443452d2c03738
] - deps: update simdutf to 5.3.4 (Node.js GitHub Bot) #54312dd882ac483
] - deps: update simdutf to 5.3.1 (Node.js GitHub Bot) #541965fb8e1b428
] - deps: update simdutf to 5.3.0 (Node.js GitHub Bot) #53837c952fd886d
] - deps: update simdutf to 5.2.8 (Node.js GitHub Bot) #52727a1ae050ed5
] - deps: update simdutf to 5.2.6 (Node.js GitHub Bot) #5272796ec48da7f
] - deps: update brotli to 1.1.0 (Node.js GitHub Bot) #5080411242bcfb4
] - deps: update zlib to 1.3.0.1-motley-71660e1 (Node.js GitHub Bot) #5346464f98a9869
] - deps: update zlib to 1.3.0.1-motley-c2469fd (Node.js GitHub Bot) #534644b815550e0
] - deps: update zlib to 1.3.0.1-motley-68e57e6 (Node.js GitHub Bot) #53464f6b2f68ce7
] - deps: update zlib to 1.3.0.1-motley-8b7eff8 (Node.js GitHub Bot) #53464e151ebef86
] - deps: update zlib to 1.3.0.1-motley-e432200 (Node.js GitHub Bot) #53464637a306e02
] - deps: update zlib to 1.3.0.1-motley-887bb57 (Node.js GitHub Bot) #53464569a739569
] - deps: update zlib to 1.3.0.1-motley-209717d (Node.js GitHub Bot) #53156033f1e2ba5
] - deps: update zlib to 1.3.0.1-motley-4f653ff (Node.js GitHub Bot) #53052aaa857fc01
] - deps: update ada to 2.8.0 (Node.js GitHub Bot) #53254d577321877
] - deps: update acorn to 8.13.0 (Node.js GitHub Bot) #5555855b3c8a41f
] - deps: update acorn-walk to 8.3.4 (Node.js GitHub Bot) #5495050a9456f1e
] - deps: update acorn-walk to 8.3.3 (Node.js GitHub Bot) #53466f56cfe776b
] - deps: update acorn to 8.12.1 (Node.js GitHub Bot) #53465fce3ab686d
] - deps: update archs files for openssl-3.0.15+quic1 (Node.js GitHub Bot) #5518446c782486e
] - deps: upgrade openssl sources to quictls/openssl-3.0.15+quic1 (Node.js GitHub Bot) #551844a18581dc3
] - deps: update corepack to 0.29.4 (Node.js GitHub Bot) #5484567e98831ab
] - deps: update archs files for openssl-3.0.14+quic1 (Node.js GitHub Bot) #54336c60c6630af
] - deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1 (Node.js GitHub Bot) #54336935a506377
] - deps: update corepack to 0.29.3 (Node.js GitHub Bot) #54072dbdfdd0226
] - deps: update corepack to 0.29.2 (Node.js GitHub Bot) #53838395ee44608
] - deps: update corepack to 0.28.2 (Node.js GitHub Bot) #532536ba8bc0618
] - deps: update c-ares to 1.29.0 (Node.js GitHub Bot) #5315581c3260cd2
] - deps: update corepack to 0.28.1 (Node.js GitHub Bot) #52946e81201e91b
] - doc: only apply content-visibility on all.html (Filip Skokan) #535104d2ac5d98f
] - doc: move release key for Myles Borins (Richard Lau) #540591c4decc998
] - doc: add release key for aduh95 (Antoine du Hamel) #55349a4f6f0918f
] - doc: add names next to release key bash commands (Aviv Keller) #52878c679348f83
] - errors: usedetermineSpecificType
in more error messages (Antoine du Hamel) #49580ac37e554a5
] - esm: mark import attributes and JSON module as stable (Nicolò Ribaudo) #5533384b0ead758
] - esm: fix hook name in error message (Bruce MacNaughton) #504660092358d00
] - http: handle multi-value content-disposition header (Arsalan Ahmad) #50977d814fe935c
] - src: account for OpenSSL unexpected version (Shelley Vohr) #540386615fe5db1
] - src: fix dynamically linked OpenSSL version (Richard Lau) #53456d6114cb2e2
] - test: fix test when compiled without engine support (Richard Lau) #53232ac3a39051c
] - test: fix test-tls-junk-closes-server (Michael Dawson) #55089c8520ff7d2
] - test: fix OpenSSL version checks (Richard Lau) #535039824827937
] - test: update tls test to support OpenSSL32 (Michael Dawson) #550301a4d497936
] - test: adjust tls-set-ciphers for OpenSSL32 (Michael Dawson) #55016341496a5a2
] - test: add asserts to validate test assumptions (Michael Dawson) #5499737a2f7eaa4
] - test: adjust key sizes to support OpenSSL32 (Michael Dawson) #5497275ff0cdf66
] - test: update test to support OpenSSL32 (Michael Dawson) #54968b097d85dfe
] - test: adjust test-tls-junk-server for OpenSSL32 (Michael Dawson) #54926e9997388a6
] - test: adjust tls test for OpenSSL32 (Michael Dawson) #54909c7de027adb
] - test: fix test test-tls-dhe for OpenSSL32 (Michael Dawson) #5490368156cbae1
] - test: fix test-tls-client-mindhsize for OpenSSL32 (Michael Dawson) #54739d5b73e5683
] - test: increase key size for ca2-cert.pem (Michael Dawson) #545995316314755
] - test: update TLS test for OpenSSL 3.2 (Richard Lau) #54612a1f0c87859
] - test: fix test-tls-client-auth test for OpenSSL32 (Michael Dawson) #54610e9e3306426
] - test: use assert.{s,deepS}trictEqual() (Sonny) #542081320fb9475
] - test: update TLS trace tests for OpenSSL >= 3.2 (Richard Lau) #53229cc3cdf7cc0
] - test: check against run-time OpenSSL version (Richard Lau) #53456fc43c6803e
] - test: update TLS tests for OpenSSL 3.2 (Richard Lau) #53384627d3993f0
] - test: fix unreliable assumption in js-native-api/test_cannot_run_js (Joyee Cheung) #518989f521f456e
] - test: update tests for OpenSSL 3.0.14 (Richard Lau) #533730fb652eba9
] - tools: update gyp-next to v0.16.1 (Michaël Zasso) #50380fa72b2c2de
] - tools: skip ruff on tools/gyp (Michaël Zasso) #50380