Skip to content

Commit

Permalink
doc: doc-only deprecate OpenSSL engine-based APIs
Browse files Browse the repository at this point in the history
OpenSSL 3 deprecated support for custom engines with a recommendation
to switch to its new provider model.
  • Loading branch information
richardlau committed Jun 4, 2024
1 parent 58711c2 commit 91390c2
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 5 deletions.
5 changes: 5 additions & 0 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -5271,12 +5271,17 @@ added: v15.6.0

<!-- YAML
added: v0.11.11
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/53329
description: Custom engine support in OpenSSL 3 is deprecated.
-->

* `engine` {string}
* `flags` {crypto.constants} **Default:** `crypto.constants.ENGINE_METHOD_ALL`

Load and set the `engine` for some or all OpenSSL functions (selected by flags).
Support for custom engines in OpenSSL is deprecated from OpenSSL 3.

`engine` could be either an id or a path to the engine's shared library.

Expand Down
19 changes: 19 additions & 0 deletions doc/api/deprecations.md
Original file line number Diff line number Diff line change
Expand Up @@ -3695,6 +3695,23 @@ For ciphers in GCM mode, the [`decipher.setAuthTag()`][] function accepts
authentication tags of any valid length (see [DEP0090](#DEP0090)). This behavior
is deprecated to better align with recommendations per [NIST SP 800-38D][].

### DEP0183: OpenSSL engine-based APIs

<!-- YAML
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/53329
description: Documentation-only deprecation.
-->

Type: Documentation-only

OpenSSL 3 has deprecated support for custom engines with a recommendation to
switch to its new provider model. The `clientCertEngine` option for
`https.request()`, [`tls.createSecureContext()`][], and [`tls.createServer()`][];
the `privateKeyEngine` and `privateKeyIdentifier` for [`tls.createSecureContext()`][];
and [`crypto.setEngine()`][] all depend on this functionality from OpenSSL.

[NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
[RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3
[RFC 8247 Section 2.4]: https://www.rfc-editor.org/rfc/rfc8247#section-2.4
Expand Down Expand Up @@ -3736,6 +3753,7 @@ is deprecated to better align with recommendations per [NIST SP 800-38D][].
[`crypto.pbkdf2()`]: crypto.md#cryptopbkdf2password-salt-iterations-keylen-digest-callback
[`crypto.randomBytes()`]: crypto.md#cryptorandombytessize-callback
[`crypto.scrypt()`]: crypto.md#cryptoscryptpassword-salt-keylen-options-callback
[`crypto.setEngine()`]: crypto.md#cryptosetengineengine-flags
[`decipher.final()`]: crypto.md#decipherfinaloutputencoding
[`decipher.setAuthTag()`]: crypto.md#deciphersetauthtagbuffer-encoding
[`diagnostics_channel.subscribe(name, onMessage)`]: diagnostics_channel.md#diagnostics_channelsubscribename-onmessage
Expand Down Expand Up @@ -3814,6 +3832,7 @@ is deprecated to better align with recommendations per [NIST SP 800-38D][].
[`tls.TLSSocket`]: tls.md#class-tlstlssocket
[`tls.checkServerIdentity()`]: tls.md#tlscheckserveridentityhostname-cert
[`tls.createSecureContext()`]: tls.md#tlscreatesecurecontextoptions
[`tls.createServer()`]: tls.md#tlscreateserveroptions-secureconnectionlistener
[`url.format()`]: url.md#urlformaturlobject
[`url.parse()`]: url.md#urlparseurlstring-parsequerystring-slashesdenotehost
[`url.resolve()`]: url.md#urlresolvefrom-to
Expand Down
6 changes: 5 additions & 1 deletion doc/api/https.md
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,10 @@ a `timeout` of 5 seconds.
<!-- YAML
added: v0.3.6
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/53329
description: The `clientCertEngine` option depends on custom engine
support in OpenSSL which is deprecated in OpenSSL 3.
- version:
- v16.7.0
- v14.18.0
Expand Down Expand Up @@ -377,7 +381,7 @@ changes:
Makes a request to a secure web server.

The following additional `options` from [`tls.connect()`][] are also accepted:
`ca`, `cert`, `ciphers`, `clientCertEngine`, `crl`, `dhparam`, `ecdhCurve`,
`ca`, `cert`, `ciphers`, `clientCertEngine` (deprecated), `crl`, `dhparam`, `ecdhCurve`,
`honorCipherOrder`, `key`, `passphrase`, `pfx`, `rejectUnauthorized`,
`secureOptions`, `secureProtocol`, `servername`, `sessionIdContext`,
`highWaterMark`.
Expand Down
17 changes: 13 additions & 4 deletions doc/api/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -1799,6 +1799,11 @@ argument.
<!-- YAML
added: v0.11.13
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/53329
description: The `clientCertEngine`, `privateKeyEngine` and
`privateKeyIdentifier` options depend on custom engine
support in OpenSSL which is deprecated in OpenSSL 3.
- version:
- v19.8.0
- v18.16.0
Expand Down Expand Up @@ -1886,7 +1891,7 @@ changes:
ciphers can be obtained via [`tls.getCiphers()`][]. Cipher names must be
uppercased in order for OpenSSL to accept them.
* `clientCertEngine` {string} Name of an OpenSSL engine which can provide the
client certificate.
client certificate. **Deprecated.**
* `crl` {string|string\[]|Buffer|Buffer\[]} PEM formatted CRLs (Certificate
Revocation Lists).
* `dhparam` {string|Buffer} `'auto'` or custom Diffie-Hellman parameters,
Expand Down Expand Up @@ -1914,11 +1919,11 @@ changes:
decrypted with `object.passphrase` if provided, or `options.passphrase` if
it is not.
* `privateKeyEngine` {string} Name of an OpenSSL engine to get private key
from. Should be used together with `privateKeyIdentifier`.
from. Should be used together with `privateKeyIdentifier`. **Deprecated.**
* `privateKeyIdentifier` {string} Identifier of a private key managed by
an OpenSSL engine. Should be used together with `privateKeyEngine`.
Should not be set together with `key`, because both options define a
private key in different ways.
private key in different ways. **Deprecated.**
* `maxVersion` {string} Optionally set the maximum TLS version to allow. One
of `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
along with the `secureProtocol` option; use one or the other.
Expand Down Expand Up @@ -2055,6 +2060,10 @@ where `secureSocket` has the same API as `pair.cleartext`.
<!-- YAML
added: v0.3.2
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/53329
description: The `clientCertEngine` option depends on custom engine
support in OpenSSL which is deprecated in OpenSSL 3.
- version:
- v20.4.0
- v18.19.0
Expand Down Expand Up @@ -2102,7 +2111,7 @@ changes:
protocols, an error will be thrown. This option cannot be used with the
`ALPNProtocols` option, and setting both options will throw an error.
* `clientCertEngine` {string} Name of an OpenSSL engine which can provide the
client certificate.
client certificate. **Deprecated.**
* `enableTrace` {boolean} If `true`, [`tls.TLSSocket.enableTrace()`][] will be
called on new connections. Tracing can be enabled after the secure
connection is established, but this option must be used to trace the secure
Expand Down

0 comments on commit 91390c2

Please sign in to comment.