From 28ea741b3dc6fc37fa1bc591c0c3f5cff39d17f6 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Tue, 4 Jun 2024 12:32:13 +0100 Subject: [PATCH] doc: doc-only deprecate OpenSSL engine based APIs OpenSSL 3 deprecated support for custom engines with a recommendation to switch to its new provider model. --- doc/api/crypto.md | 5 +++++ doc/api/deprecations.md | 19 +++++++++++++++++++ doc/api/https.md | 6 +++++- doc/api/tls.md | 17 +++++++++++++---- 4 files changed, 42 insertions(+), 5 deletions(-) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 807cb0e81bca80..827e6857643f41 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -5271,12 +5271,17 @@ added: v15.6.0 * `engine` {string} * `flags` {crypto.constants} **Default:** `crypto.constants.ENGINE_METHOD_ALL` Load and set the `engine` for some or all OpenSSL functions (selected by flags). +Support for custom engines in OpenSSL is deprecated from OpenSSL 3. `engine` could be either an id or a path to the engine's shared library. diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 369587098b9478..57b7bbdcde4fbd 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3695,6 +3695,23 @@ For ciphers in GCM mode, the [`decipher.setAuthTag()`][] function accepts authentication tags of any valid length (see [DEP0090](#DEP0090)). This behavior is deprecated to better align with recommendations per [NIST SP 800-38D][]. +### DEP0183: OpenSSL engine based APIs + + + +Type: Documentation-only + +OpenSSL 3 has deprecated support for custom engines with a recommendation to +switch to its new provider model. The `clientCertEngine` option for +`https.request()`, [`tls.createSecureContext()`][], and [`tls.createServer()`][]; +the `privateKeyEngine` and `privateKeyIdentifier` for [`tls.createSecureContext()`][]; +and [`crypto.setEngine()`][] all depend on this functionality from OpenSSL. + [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3 [RFC 8247 Section 2.4]: https://www.rfc-editor.org/rfc/rfc8247#section-2.4 @@ -3736,6 +3753,7 @@ is deprecated to better align with recommendations per [NIST SP 800-38D][]. [`crypto.pbkdf2()`]: crypto.md#cryptopbkdf2password-salt-iterations-keylen-digest-callback [`crypto.randomBytes()`]: crypto.md#cryptorandombytessize-callback [`crypto.scrypt()`]: crypto.md#cryptoscryptpassword-salt-keylen-options-callback +[`crypto.setEngine()`]: crypto.md#cryptosetengineengine-flags [`decipher.final()`]: crypto.md#decipherfinaloutputencoding [`decipher.setAuthTag()`]: crypto.md#deciphersetauthtagbuffer-encoding [`diagnostics_channel.subscribe(name, onMessage)`]: diagnostics_channel.md#diagnostics_channelsubscribename-onmessage @@ -3814,6 +3832,7 @@ is deprecated to better align with recommendations per [NIST SP 800-38D][]. [`tls.TLSSocket`]: tls.md#class-tlstlssocket [`tls.checkServerIdentity()`]: tls.md#tlscheckserveridentityhostname-cert [`tls.createSecureContext()`]: tls.md#tlscreatesecurecontextoptions +[`tls.createServer()`]: tls.md#tlscreateserveroptions-secureconnectionlistener [`url.format()`]: url.md#urlformaturlobject [`url.parse()`]: url.md#urlparseurlstring-parsequerystring-slashesdenotehost [`url.resolve()`]: url.md#urlresolvefrom-to diff --git a/doc/api/https.md b/doc/api/https.md index c3dfe3466643e7..a10c08dc75900b 100644 --- a/doc/api/https.md +++ b/doc/api/https.md @@ -342,6 +342,10 @@ a `timeout` of 5 seconds.