From 68b15a717b057925615da27ab70ed33fec705676 Mon Sep 17 00:00:00 2001
From: Richard Lau <rlau@redhat.com>
Date: Thu, 29 Aug 2024 16:25:34 +0000
Subject: [PATCH] build: explicitly set OpenSSL default TLS seclevel

Explicitly set the default TLS seclevel for OpenSSL. OpenSSL 3.2 changed
the default TLS seclevel from 1 (default in OpenSSL 3.0 and 3.1) to 2.
This causes smaller key sizes to be rejected, as well as any cipher
suite that uses RC4.

Since the End-of-Life date for OpenSSL 3.0 is before the End-of-Life
date for Node.js 22, we anticipate that we will need to update OpenSSL
to whatever the next (as yet unannounced) LTS version of OpenSSL will
be. Fixing the seclevel will minimize ecosystem disruption when that
update happens.

Even with the seclevel fixed at 1, updating from OpenSSL 3.1 would still
result in a change -- OpenSSL 3.1 disabled SSLv3, TLS 1.0, TLS 1.1 and
DTLS 1.0 at seclevel 1.

Refs: https://docs.openssl.org/3.0/man3/SSL_CTX_set_security_level/#default-callback-behaviour
Refs: https://docs.openssl.org/3.1/man3/SSL_CTX_set_security_level/#default-callback-behaviour
Refs: https://docs.openssl.org/3.2/man3/SSL_CTX_set_security_level/#default-callback-behaviour
---
 node.gypi | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/node.gypi b/node.gypi
index 44780fe3b1211c..eb39ff0c96c642 100644
--- a/node.gypi
+++ b/node.gypi
@@ -359,7 +359,10 @@
       'defines': [ 'HAVE_OPENSSL=1' ],
       'conditions': [
         [ 'node_shared_openssl=="false"', {
-          'defines': [ 'OPENSSL_API_COMPAT=0x10100000L', ],
+          'defines': [
+            'OPENSSL_API_COMPAT=0x10100000L',
+            'OPENSSL_TLS_SECURITY_LEVEL=1',
+          ],
           'dependencies': [
             './deps/openssl/openssl.gyp:openssl',