On 24/04/2020 00:05, Sam Roberts wrote: > Fwiw, took a quick run at building and testing Node.js against the 3.x beta. > > It was API compatible enough to build. Good to hear! > The DH_, ECDH_, HMAC_, etc. > deprecations make sense, will look at those. > > My assumption is that EVP versions of these exist in openssl 1.1.1, > and that if we switch our openssl 1.1.1 code to using the EVP APIs, > that that cod will then work unchanged when we update to openssl 3.x? Yes. For DH_ and ECDH_ use EVP_PKEY_derive*: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive.html HMAC_ is a bit more complicated. The preferred way of doing this is to use the EVP_MAC_* API. https://www.openssl.org/docs/manmaster/man3/EVP_MAC.html However this API is newly added in 3.0. You can calculate an HMAC via EVP in 1.1.1 (and this way still works in 3.0), but frankly the old way of doing things is a bit of hack. It does work though. There is an example on the wiki: https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying > > ERR_func_error_string, what is its replacement? I didn't see it > mentioned in the wiki, but its marked deprecated. > > Tests didn't go so well. Minor changes in error strings are to be > expected, but more than that changed. > > I haven't looked at these yet other than scan the output, we might be > relying on internals, but just for anyone curious, here's the test > output: Relying on internals would explain it. Or its also entirely possible that we accidentally broke something. I look forward to seeing the results of your investigations. > > https://gist.github.com/sam-github/5a3b3775029efb3d31109d7e6e390f85 > Scanning the output I notice a couple of things. There's a number of these: ERR_OSSL_DH_MODULUS_TOO_SMALL There is this in the CHANGES.md file which might explain it: * Enforce a minimum DH modulus size of 512 bits. This one is interesting: ERR_OSSL_EVP_FETCH_FAILED This means that the algorithm you are trying to use isn't available in the loaded providers. Since you should be getting the default provider loaded automatically it could be because some legacy algorithms were moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're using something from that list then that would explain it. Matt