deps: update OpenSSL to 3.0.16

[nodejs-github-bot]

This is an automated update of OpenSSL to 3.0.16.

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/65592/

[lpinca]

RSLGTM

[jasnell]

So I know, is this updating to the mainline OpenSSL or is this still the quictls fork?

[richardlau]

So I know, is this updating to the mainline OpenSSL or is this still the quictls fork?

Mainline OpenSSL. It is the result of running the GitHub OpenSSL update workflow after landing #57301.

[jasnell]

Note that the maintaining openssl doc will need to be updated also, as that still refers to the quictls fork. I've started locally trying to see how well openssl 3.5 builds. So far I've run into one issue with comp.h.in not generating. ... ok, yeah, as expected there are a number of updates that need to be made to the build files for 3.5 to build. Several new header templates to generate, other headers and impl files that have moved around.

[panva]

Note that the maintaining openssl doc will need to be updated also, as that still refers to the quictls fork. I've started locally trying to see how well openssl 3.5 builds. So far I've run into one issue with comp.h.in not generating. ... ok, yeah, as expected there are a number of updates that need to be made to the build files for 3.5 to build. Several new header templates to generate, other headers and impl files that have moved around.

Really? I've built and installed 3.5 from main and built/linked it to Node.js with 0 issues just a couple days ago. Warnings many, errors 0. macOS here, only ran tools/test.py -J crypto webcrypto tho

[jasnell]

Interesting. What process did you use for updating? I'm trying from master and it's just not building

[panva]

Interesting. What process did you use for updating? I'm trying from master and it's just not building

• cloned openssl, configure, make, make install
• in node ./configure --shared-openssl --shared-openssl-includes=/usr/local/include --shared-openssl-libpath=/usr/local/lib --node-builtin-modules-path $(pwd) --ninja and make

./node -p process.versions.openssl
3.5.0-dev

➜  node git:(main) tools/test.py -J crypto webcrypto 
[00:07|% 100|+ 135|-   0]: Done                                               

All tests passed.

[panva]

Granted first I tried just copying the openssl repo to deps but that has failed spectacularly.

[jasnell]

Ok yeah, I was going the "official" route with deps and that was... A big fail.

[richardlau]

Force pushed to remove the errant commit added by the failed https://github.com/nodejs/node/actions/runs/13742937148. It looks like the workflow doesn't handle the case when a pull request is already open properly.

[nodejs-github-bot]

Commit Queue failed

- Loading data for nodejs/node/pull/57335
✔  Done loading data for nodejs/node/pull/57335
----------------------------------- PR info ------------------------------------
Title      deps: update OpenSSL to 3.0.16 (#57335)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     nodejs-github-bot:actions/tools-update-openssl -> nodejs:main
Labels     openssl, needs-ci, dependencies, commit-queue-rebase
Commits    2
 - deps: upgrade openssl sources to quictls/openssl-3.0.16
 - deps: update archs files for openssl-3.0.16
Committers 1
 - Node.js GitHub Bot <github-bot@iojs.org>
PR-URL: https://github.com/nodejs/node/pull/57335
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/57335
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
--------------------------------------------------------------------------------
   ⚠  Something was pushed to the Pull Request branch since the last approving review.
   ℹ  This PR was created on Wed, 05 Mar 2025 20:58:01 GMT
   ✔  Approvals: 5
   ✔  - Richard Lau (@richardlau) (TSC): https://github.com/nodejs/node/pull/57335#pullrequestreview-2662624837
   ✔  - Rafael Gonzaga (@RafaelGSS) (TSC): https://github.com/nodejs/node/pull/57335#pullrequestreview-2662896273
   ✔  - Marco Ippolito (@marco-ippolito) (TSC): https://github.com/nodejs/node/pull/57335#pullrequestreview-2663643318
   ✔  - Filip Skokan (@panva): https://github.com/nodejs/node/pull/57335#pullrequestreview-2664017903
   ✔  - Luigi Pinca (@lpinca): https://github.com/nodejs/node/pull/57335#pullrequestreview-2666951771
   ✘  Last GitHub CI failed
   ℹ  Last Full PR CI on 2025-03-05T21:24:09Z: https://ci.nodejs.org/job/node-test-pull-request/65592/
- Querying data for job/node-test-pull-request/65592/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu

https://github.com/nodejs/node/actions/runs/13755630211

[nodejs-github-bot]

Landed in fbe37d5...96457b4

[richardlau]

So I know, is this updating to the mainline OpenSSL or is this still the quictls fork?

ugh. I've just noticed that the commit message still references quic/openssl-.... I'll open a PR to update that along with updating the maintaining docs.

[richardlau]

So I know, is this updating to the mainline OpenSSL or is this still the quictls fork?

ugh. I've just noticed that the commit message still references quic/openssl-.... I'll open a PR to update that along with updating the maintaining docs.

#57413