deps: update openssl to openssl1.1.1k+quic

[hassaanp]

Updated openssl dep to openssl1.1.1k+quic using the maintenance guide.

Fixes: #37913

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/36979/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/36981/

[tniessen]

Manually verified 16da9a7 (tree 250f02dc10d0029dd0a51e26c4d6a274f8599d52).

All changes are legit.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/36992/

[jasnell]

Thank you so much @hassaanp for putting this together :-) ... saved me part of my afternoon yesterday!

[millerick]

Can someone give estimates on when this will be included in the existing LTS versions?

[richardlau]

Can someone give estimates on when this will be included in the existing LTS versions?

It would be helpful if someone could open a PR to update openssl (from the original openssl project and not the quic fork) for the LTS staging branches as this PR isn't applicable to those versions.

[mhdawson]

@richardlau should it not just be the same PR minus the deps: upgrade openssl sources to 1.1.1k+quic commit ?

[mcollina]

lgtm

[richardlau]

@richardlau should it not just be the same PR minus the deps: upgrade openssl sources to 1.1.1k+quic commit ?

No, since for master we've switched upstream OpenSSL to https://github.com/quictls/openssl whereas the older release lines keep upstream to the official OpenSSL releases. We're not talking about quic support in Node.js here (as I understand it, that hasn't been added back yet) -- the +quic bit is denoting the openssl source is coming from the fork with additional patches for quic support in OpenSSL (for use in a subsequent Node.js patch).

[mhdawson]

@richardlau in the discussion around the switch my understanding is that the https://github.com/quictls/openssl should always be exactly the same as what is in the openssl repo EXCEPT for the addition of that one extra commit. That was a key point (at least for me) as to why it would not require a bunch of extra work to support. @jasnell can you please confirm? Key thing is to understand if we'll need 2 PRs for every openSSL update (1 for master and 1 for LTS versions)

[jasnell]

For the downlevel branches, the openssl update should continue to come from the main openssl/openssl release distribution as it has in the past. The quictls/openssl distribution is only for master now and possibly 16.x assuming it picks it up from master.

The quictls/openssl branch will always be exactly the same as what is in the official repo + multiple additional commits necessary to add the QUIC support. Those additional bits, however, are built by default and must be explicitly turned off, and the older Node.js release lines do not have the necessary guards to do so. Therefore, @richardlau is correct, we need separate PRS for the other release lines that are pulled from openssl/openssl

[millerick]

Therefore, @richardlau is correct, we need separate PRS for the other release lines that are pulled from openssl/openssl

Are the maintainers working on addressing this, or is the expectation that someone from the community will make those proposals?

[tniessen]

The quictls/openssl distribution is only for master now and possibly 16.x assuming it picks it up from master.

@jasnell I was going to do the update for 15.x but it seems that 6d77b61 is in that line (and released as of 15.12).

[tniessen]

v14.x in #37938

[tniessen]

v12.x in #37939

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/37010/

[tniessen]

v10.x in #37940

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/37049/

[gengjiawen]

Landed in 30fe4ed...f638d8d

[gengjiawen]

Thanks for the contribution :)