Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use md5 hashing for OpenSSL 3 #924

Merged
merged 4 commits into from
Mar 22, 2022
Merged

Conversation

pathmapper
Copy link
Contributor

Please check if the PR fulfills these requirements

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Other... Please describe:

What is the current behavior? (You can also link to an open issue here)

#923

What is the new behavior?

Check process.versions.openssl instead of process.versions.node.

Does this PR introduce a breaking change?

  • Yes
  • No

Copy link
Contributor

@JLHwung JLHwung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd better do a top level feature detection. We can try create to create an md4 hasher and switch to md5 if it throws.

OpenSSL 1.1.1 can disable md4 via --no-md4 building options. [1]

OpenSSL 3.0 can enable md4 via legacy provider config option. [2]

And node.js can be built with LibreSSL, too.

@pathmapper
Copy link
Contributor Author

@JLHwung is ba92115 what you are thinking about?

Copy link
Contributor

@JLHwung JLHwung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move the feature detection to the top level? So we don't have to detect it on every request.

@pathmapper
Copy link
Contributor Author

move the feature detection to the top level

done

@pathmapper
Copy link
Contributor Author

Any chance to get this merged?

@sirin2639
Copy link

sirin2639 commented Feb 18, 2022

Has anyone tested this change on RH Linux? RH Linux enables FIPS and md5 isn't allowed on a FIPS compliant system.

Updated: RHEL8 allows SHA256.

@JLHwung
Copy link
Contributor

JLHwung commented Feb 18, 2022

Before this PR babel-loader uses md4 which is not FIPS compliant, too. We can open a new issue tracking how we should handle FIPS compliance.

@sonnyp
Copy link

sonnyp commented Mar 15, 2022

babel-loader is currently unusable on Fedora 36. The beta is due to release this month.

I added some links in #934 about webpack approach in case of interest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants