-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: define OPENSSLDIR and ENGINESDIR explicitly #29455
Conversation
According to CVE-2019-1552(*), it is encouraged to change OPENSSLDIR from the default of /usr/local/ssl to a privileged directory on Windows. "C:\Program Files\Common Files\SSL" is set as it is the default path in OpenSSL-1.1.1. (*) https://www.openssl.org/news/secadv/20190730.txt Fixes: nodejs#29445
@nodejs/tsc opinions? @nodejs/lts ? I'm OK with following @shigeki's advice: don't fix, its low priority and on an almost EOL release line. @nodejs/platform-windows , you should take careful note -- this is specific to Windows, do you have an opinion? |
I'm OK with following @shigeki's advice as well. Once concern is what happens if you upgrade from an earlier version and had config files in /usr/local/ssl. Would you run without the configuration you expected and not know it? Maybe we should look to see if there is config in /usr/local/ssl and warn that it's not going to be used in the current version? |
I'm OK with following @shigeki's advice: don't fix, its low priority and on an almost EOL release line. |
It depends.
|
It looks like we're agreeing to not land this change in v8.x? |
Close this for we agreed not to land this. |
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: nodejs#29456 Refs: nodejs#29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: #29456 Refs: #29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: #29456 Refs: #29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Backslashes and spaces are need to be escaped to define OPENSSLDIR to "C:\Program Files\Common Files\SSL". PR-URL: #29456 Refs: #29455 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
According to CVE-2019-1552(*), it is encouraged to change
OPENSSLDIR
from the default of /usr/local/ssl to a privileged directory on Windows. "C:\Program Files\Common Files\SSL" is set as it is the default path in OpenSSL-1.1.1.This is also described in openssl/openssl@d333eba for the forthcoming release of OpenSSL-1.0.2t.
It breaks the compatibility of the
OPENSSLDIR
path with the previous v8 LTS releases. For v8 LTS will be ended after 4 months and its severity is LOW, I do not mind if this is not fixed.(*) https://www.openssl.org/news/secadv/20190730.txt
Fixes: #29445
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes