diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d99edf1
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/node-ssl-shim-6fc0b05.tar.gz
+SOURCES/node-v14.15.0-stripped.tar.gz
diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata
new file mode 100644
index 0000000..250715c
--- /dev/null
+++ b/.rh-nodejs14-nodejs.metadata
@@ -0,0 +1,2 @@
+9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz
+fdc54e8dbaec8f3a477e9708a3299a40e995eb91 SOURCES/node-v14.15.0-stripped.tar.gz
diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch
new file mode 100644
index 0000000..87c7f13
--- /dev/null
+++ b/SOURCES/0001-Link-with-ssl-shim.patch
@@ -0,0 +1,65 @@
+From 75268fbb6bbe32db695595e2b30f4600732767ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Tue, 28 Apr 2020 11:15:24 +0200
+Subject: [PATCH] Link with ssl-shim
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ node.gypi          | 10 +++++++---
+ src/node_crypto.cc |  2 +-
+ src/node_crypto.h  |  2 ++
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/node.gypi b/node.gypi
+index 43dbda7bbf..070f212d96 100644
+--- a/node.gypi
++++ b/node.gypi
+@@ -364,9 +364,13 @@
+               ],
+             }],
+           ],
+-        }]]
+-
+-    }, {
++        }],
++        [ 'node_shared_openssl=="true"', {
++          'include_dirs': ['deps/node-ssl-shim/include'],
++          'libraries': ['<!(realpath deps/node-ssl-shim/lib/libnode-ssl-shim.a)']
++        }]
++    ]},
++    {
+       'defines': [ 'HAVE_OPENSSL=0' ]
+     }],
+ 
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index ed886abd74..6118829b43 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -1155,7 +1155,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
+ 
+ void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
+   // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined OPENSSL_IS_BORINGSSL && !OPENSSL_IS_LEGACY
+   SecureContext* sc;
+   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
+   Environment* env = sc->env();
+diff --git a/src/node_crypto.h b/src/node_crypto.h
+index bef98b3e24..d46730c9ba 100644
+--- a/src/node_crypto.h
++++ b/src/node_crypto.h
+@@ -42,6 +42,8 @@
+ #include <openssl/ec.h>
+ #include <openssl/rsa.h>
+ 
++#include <node-ssl-shim/ssl-shim.h>
++
+ namespace node {
+ namespace crypto {
+ 
+-- 
+2.26.2
+
diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
new file mode 100644
index 0000000..d5e7561
--- /dev/null
+++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
@@ -0,0 +1,147 @@
+From 779cd3cc604a0efdeba1e0e2bcacab27880675c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Wed, 16 Sep 2020 12:46:38 +0200
+Subject: [PATCH] Use OpenSSL 1.0 API
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- Pass non-const pointer to BIO_new
+
+  In legacy OpenSSL, the method parameter for BIO_new is not marked const,
+  although the function does not need it to be mutable.
+  This is likely an oversight in the interface.
+
+  The provided "fix" is potentially dangerous,
+  as casting away `const`-ness is potentially an undefined behaviour.
+  Since the code around assumes it is constant anyway,
+  it *should* be fine here – but use with care.
+
+- Remove const-classifier for SSL_SESSION callback argument
+
+  In legacy OpenSSL, the parameter is expected to be mutable.
+  Using `const` prevents passing the method as a function pointer
+  to other OpenSSL API functions.
+
+- Sanitize inputs into PBKDF2
+
+- Return const char from SSL_CIPHER_get_version
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ src/node_crypto.cc        | 26 ++++++++++++++++++++++++--
+ src/node_crypto.h         |  4 ++++
+ src/node_crypto_bio.cc    |  4 ++++
+ src/node_crypto_common.cc | 10 +++++++++-
+ 4 files changed, 41 insertions(+), 3 deletions(-)
+
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index 6118829b43..77940f0dea 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -124,7 +124,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
+ template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
+ template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
+     SSL* s,
++#if OPENSSL_IS_LEGACY
++    unsigned char *key,
++#else
+     const unsigned char* key,
++#endif
+     int len,
+     int* copy);
+ template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
+@@ -1766,7 +1770,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
+ 
+ template <class Base>
+ SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
++#if OPENSSL_IS_LEGACY
++                                               unsigned char* key,
++#else
+                                                const unsigned char* key,
++#endif
+                                                int len,
+                                                int* copy) {
+   Base* w = static_cast<Base*>(SSL_get_app_data(s));
+@@ -5895,9 +5903,23 @@ struct PBKDF2Job : public CryptoJob {
+   }
+ 
+   inline void DoThreadPoolWork() override {
+-    auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
++    static const char * const empty = "";
++
++    auto pass_data = reinterpret_cast<const char *>(empty);
++    auto pass_size = int(0);
++    auto salt_data = reinterpret_cast<const unsigned char *>(empty);
++    auto salt_size = int(0);
++
++    if (pass.size() > 0) {
++      pass_data = pass.data(), pass_size = pass.size();
++    }
++    if (salt.size() > 0) {
++      salt_data = reinterpret_cast<const unsigned char *>(salt.data());
++      salt_size = salt.size();
++    }
++
+     const bool ok =
+-        PKCS5_PBKDF2_HMAC(pass.data(), pass.size(), salt_data, salt.size(),
++        PKCS5_PBKDF2_HMAC(pass_data, pass_size, salt_data, salt_size,
+                           iteration_count, digest, keybuf_size, keybuf_data);
+     success = Just(ok);
+     Cleanse();
+diff --git a/src/node_crypto.h b/src/node_crypto.h
+index d46730c9ba..dbc46fbec8 100644
+--- a/src/node_crypto.h
++++ b/src/node_crypto.h
+@@ -235,7 +235,11 @@ class SSLWrap {
+   static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
+ 
+   static SSL_SESSION* GetSessionCallback(SSL* s,
++#if OPENSSL_IS_LEGACY
++                                         unsigned char* key,
++#else // OPENSSL_IS_LEGACY
+                                          const unsigned char* key,
++#endif // OPENSSL_IS_LEGACY
+                                          int len,
+                                          int* copy);
+   static int NewSessionCallback(SSL* s, SSL_SESSION* sess);
+diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
+index 8c58e31f86..319580c9b6 100644
+--- a/src/node_crypto_bio.cc
++++ b/src/node_crypto_bio.cc
+@@ -32,7 +32,11 @@ namespace node {
+ namespace crypto {
+ 
+ BIOPointer NodeBIO::New(Environment* env) {
++#if OPENSSL_IS_LEGACY
++  BIOPointer bio(BIO_new(const_cast<BIO_METHOD *>(GetMethod())));
++#else
+   BIOPointer bio(BIO_new(GetMethod()));
++#endif
+   if (bio && env != nullptr)
+     NodeBIO::FromBIO(bio.get())->env_ = env;
+   return bio;
+diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
+index 6473b652ac..da1033fdef 100644
+--- a/src/node_crypto_common.cc
++++ b/src/node_crypto_common.cc
+@@ -405,7 +405,15 @@ MaybeLocal<Value> GetCipherStandardName(
+ }
+ 
+ MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
+-  return GetCipherValue(env, cipher, SSL_CIPHER_get_version);
++#if OPENSSL_IS_LEGACY
++  auto get_version = [](const SSL_CIPHER *cipher){
++    return const_cast<const char *>(SSL_CIPHER_get_version(cipher));
++  };
++#else // OPENSSL_IS_LEGACY
++  auto get_version = SSL_CIPHER_get_version;
++#endif // OPENSSL_IS_LEGACY
++
++  return GetCipherValue(env, cipher, get_version);
+ }
+ 
+ StackOfX509 CloneSSLCerts(X509Pointer&& cert,
+-- 
+2.26.2
+
diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
new file mode 100644
index 0000000..48a8c4f
--- /dev/null
+++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
@@ -0,0 +1,357 @@
+From afdb783c2b6c97e4e8c4a8b69bff4187a1cb4bd2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Wed, 16 Sep 2020 12:47:35 +0200
+Subject: [PATCH] Backport necessary OpenSSL features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- Remove uses of SSL_CTX_{get,set}_{min,max}_proto_version()
+
+  These functions are not provided by OpenSSL v1.0,
+  and unfortunately cannot be fully re-implemented using available APIs.
+
+- Implement SSL_{get,set}_{min,max}_proto_version on NodeJS level
+
+  The shim layer cannot provide implementation for the above functions,
+  as there is no place to store the current boundary information.
+  Setting them can be simulated by using SSL_CTX options,
+  but getting them is tricky and starts to fail once the boundaries meet.
+
+  Since Node wraps the secure context in it's own structure,
+  that structure can be extended to record the last set boundaries,
+  and then set the appropriate options on the OpenSSL structure.
+
+  This patch is a first draft of this implementation.
+  The boundaries are stored directly as private members of
+  `node::crypto::SecureContext`.
+  In order to actually apply them, a new private `_SyncMinMaxProto()`
+  method has to be called.
+  This will modify the option mask of the associated SSL_CTX structure
+  to match the recorded boundaries.
+  Use with care!
+
+- Provide locking mechanism for legacy OpenSSL
+
+  This commit is probably a good candidate for inclusion in the shim,
+  although probably as some sort of extras – it is not trivial!
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ src/node_crypto.cc | 192 +++++++++++++++++++++++++++++++++++++++------
+ src/node_crypto.h  |  14 ++++
+ 2 files changed, 180 insertions(+), 26 deletions(-)
+
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index 77940f0dea..ff562e3563 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -538,6 +538,11 @@ inline void SecureContext::Reset() {
+   ctx_.reset();
+   cert_.reset();
+   issuer_.reset();
++
++#if OPENSSL_IS_LEGACY
++  _min_proto_version = 0;
++  _max_proto_version = 0;
++#endif // OPENSSL_IS_LEGACY
+ }
+ 
+ SecureContext::~SecureContext() {
+@@ -551,7 +556,11 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
+ 
+ // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
+ // Node.js doesn't, so pin the max to what we do support.
++#if OPENSSL_IS_LEGACY
++const int MAX_SUPPORTED_VERSION = TLS1_2_VERSION;
++#else // OPENSSL_IS_LEGACY
+ const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
++#endif // OPENSSL_IS_LEGACY
+ 
+ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+   SecureContext* sc;
+@@ -606,38 +615,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+       max_version = MAX_SUPPORTED_VERSION;
+       method = TLS_client_method();
+     } else if (sslmethod == "TLSv1_method") {
+-      min_version = TLS1_VERSION;
+-      max_version = TLS1_VERSION;
++      method = TLSv1_method();
+     } else if (sslmethod == "TLSv1_server_method") {
+-      min_version = TLS1_VERSION;
+-      max_version = TLS1_VERSION;
+-      method = TLS_server_method();
++      method = TLSv1_server_method();
+     } else if (sslmethod == "TLSv1_client_method") {
+-      min_version = TLS1_VERSION;
+-      max_version = TLS1_VERSION;
+-      method = TLS_client_method();
++      method = TLSv1_client_method();
+     } else if (sslmethod == "TLSv1_1_method") {
+-      min_version = TLS1_1_VERSION;
+-      max_version = TLS1_1_VERSION;
++      method = TLSv1_1_method();
+     } else if (sslmethod == "TLSv1_1_server_method") {
+-      min_version = TLS1_1_VERSION;
+-      max_version = TLS1_1_VERSION;
+-      method = TLS_server_method();
++      method = TLSv1_1_server_method();
+     } else if (sslmethod == "TLSv1_1_client_method") {
+-      min_version = TLS1_1_VERSION;
+-      max_version = TLS1_1_VERSION;
+-      method = TLS_client_method();
++      method = TLSv1_1_client_method();
+     } else if (sslmethod == "TLSv1_2_method") {
+-      min_version = TLS1_2_VERSION;
+-      max_version = TLS1_2_VERSION;
++      method = TLSv1_2_method();
+     } else if (sslmethod == "TLSv1_2_server_method") {
+-      min_version = TLS1_2_VERSION;
+-      max_version = TLS1_2_VERSION;
+-      method = TLS_server_method();
++      method = TLSv1_2_server_method();
+     } else if (sslmethod == "TLSv1_2_client_method") {
+-      min_version = TLS1_2_VERSION;
+-      max_version = TLS1_2_VERSION;
+-      method = TLS_client_method();
++      method = TLSv1_2_client_method();
+     } else {
+       const std::string msg("Unknown method: ");
+       THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, (msg + * sslmethod).c_str());
+@@ -667,8 +661,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+                                  SSL_SESS_CACHE_NO_INTERNAL |
+                                  SSL_SESS_CACHE_NO_AUTO_CLEAR);
+ 
++#if OPENSSL_IS_LEGACY
++  sc->_min_proto_version = min_version;
++  sc->_max_proto_version = max_version;
++  sc->_SyncMinMaxProto();
++#else
+   SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);
+   SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
++#endif // !OPENSSL_IS_LEGACY
+ 
+   // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
+   // exposed in the public API. To retain compatibility, install a callback
+@@ -1264,6 +1264,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
+     return env->ThrowTypeError("Error setting temp DH parameter");
+ }
+ 
++#if OPENSSL_IS_LEGACY
++int SecureContext::_SyncMinMaxProto() {
++  // Node explicitly disables SSLv2 and v3 – do not intefere with that
++  static const auto ALL_SUPPORTED_VERSIONS =
++    SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
++
++  auto mask = long(0);
++
++  // Setup minimum version
++  switch (_min_proto_version) {
++    default: return 0; // unsupported version
++    case TLS1_3_VERSION:
++      mask |= SSL_OP_NO_TLSv1_2;
++      [[fallthrough]];
++    case TLS1_2_VERSION:
++      mask |= SSL_OP_NO_TLSv1_1;
++      [[fallthrough]];
++    case TLS1_1_VERSION:
++      mask |= SSL_OP_NO_TLSv1;
++      [[fallthrough]];
++    case TLS1_VERSION:
++      mask |= SSL_OP_NO_SSLv3;
++      [[fallthrough]];
++    case SSL3_VERSION:
++      mask |= SSL_OP_NO_SSLv2;
++      [[fallthrough]];
++    case 0: // any supported version
++      break;
++  }
++
++  // Setup maximum version
++  switch (_max_proto_version) {
++    default: return 0; // unsupported version
++    case SSL3_VERSION:
++      mask |= SSL_OP_NO_TLSv1;
++      [[fallthrough]];
++    case TLS1_VERSION:
++      mask |= SSL_OP_NO_TLSv1_1;
++      [[fallthrough]];
++    case TLS1_1_VERSION:
++      mask |= SSL_OP_NO_TLSv1_2;
++      [[fallthrough]];
++    case TLS1_2_VERSION:
++      // no-op, legacy OpenSSL does not know about TLSv1.3
++      [[fallthrough]];
++    case TLS1_3_VERSION:
++      [[fallthrough]];
++    case 0: // any version
++      break;
++  }
++
++  // Reset current context mask
++  auto *raw_context = ctx_.get();
++  SSL_CTX_clear_options(raw_context, ALL_SUPPORTED_VERSIONS);
++  SSL_CTX_set_options(raw_context, mask);
++
++  return 1;
++}
++#endif // OPENSSL_IS_LEGACY
+ 
+ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
+   SecureContext* sc;
+@@ -1274,7 +1333,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
+ 
+   int version = args[0].As<Int32>()->Value();
+ 
++#if OPENSSL_IS_LEGACY
++  sc->_min_proto_version = version;
++  CHECK(sc->_SyncMinMaxProto());
++#else  // OPENSSL_IS_LEGACY
+   CHECK(SSL_CTX_set_min_proto_version(sc->ctx_.get(), version));
++#endif  // OPENSSL_IS_LEGACY
+ }
+ 
+ 
+@@ -1287,7 +1351,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
+ 
+   int version = args[0].As<Int32>()->Value();
+ 
++#if OPENSSL_IS_LEGACY
++  sc->_max_proto_version = version;
++  CHECK(sc->_SyncMinMaxProto());
++#else // OPENSSL_IS_LEGACY
+   CHECK(SSL_CTX_set_max_proto_version(sc->ctx_.get(), version));
++#endif // OPENSSL_IS_LEGACY
+ }
+ 
+ 
+@@ -1298,7 +1367,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
+   CHECK_EQ(args.Length(), 0);
+ 
+   long version =  // NOLINT(runtime/int)
++#if OPENSSL_IS_LEGACY
++    sc->_min_proto_version;
++#else // OPENSSL_IS_LEGACY
+     SSL_CTX_get_min_proto_version(sc->ctx_.get());
++#endif // OPENSSL_IS_LEGACY
+   args.GetReturnValue().Set(static_cast<uint32_t>(version));
+ }
+ 
+@@ -1310,11 +1383,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
+   CHECK_EQ(args.Length(), 0);
+ 
+   long version =  // NOLINT(runtime/int)
++#if OPENSSL_IS_LEGACY
++    sc->_max_proto_version;
++#else // OPENSSL_IS_LEGACY
+     SSL_CTX_get_max_proto_version(sc->ctx_.get());
++#endif // OPENSSL_IS_LEGACY
+   args.GetReturnValue().Set(static_cast<uint32_t>(version));
+ }
+ 
+-
+ void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
+   SecureContext* sc;
+   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
+@@ -6870,8 +6946,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
+       CRYPTO_memcmp(buf1.data(), buf2.data(), buf1.length()) == 0);
+ }
+ 
++
++#if OPENSSL_IS_LEGACY
++// Array of mutexes provided for OpenSSL internal use
++static std::unique_ptr<Mutex[]> openssl_lock_array = nullptr;
++
++// OpenSSL callback – lock/unlock a mutex
++static void openssl_lock_callback(
++    int mode, int which, const char *file [[maybe_unused]], int line [[maybe_unused]])
++{
++  // Exactly one of CRYPTO_LOCK or CRYPTO_UNLOCK is set
++  CHECK(!(mode & CRYPTO_LOCK) ^ !(mode & CRYPTO_UNLOCK));
++  // Exactly one of CRYPTO_READ or CRYPTO_WRITE is set
++  CHECK(!(mode & CRYPTO_READ) ^ !(mode & CRYPTO_WRITE));
++  // FIXME: No easy way to make a array bounds check
++
++  auto mtx = &openssl_lock_array[which];
++  if (mode & CRYPTO_LOCK) {
++    mtx->Lock();
++  } else {
++    mtx->Unlock();
++  }
++}
++
++// OpenSSL callback - retrieve current thread ID
++static void openssl_threadid_callback(CRYPTO_THREADID *thread_id) {
++  static_assert(sizeof (uv_thread_t) <= sizeof (void *), "uv_thread_t does not fit in a pointer");
++  CRYPTO_THREADID_set_pointer(thread_id, reinterpret_cast<void *>(uv_thread_self()));
++}
++
++// Initialize (reset) the provided locking mechanism
++static void openssl_reset_locking() {
++  openssl_lock_array = std::make_unique<Mutex[]>(CRYPTO_num_locks());
++
++  CRYPTO_THREADID_set_callback(openssl_threadid_callback);
++  CRYPTO_set_locking_callback(openssl_lock_callback);
++}
++
++#endif // OPENSSL_IS_LEGACY
++
+ void InitCryptoOnce() {
+-#ifndef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_IS_LEGACY
++  SSL_load_error_strings();
++  OPENSSL_no_config();
++
++  if (!per_process::cli_options->openssl_config.empty()) {
++    OPENSSL_load_builtin_modules();
++#ifndef OPENSSL_NO_ENGINE
++    ENGINE_load_builtin_engines();
++#endif // OPENSSL_NO_ENGINE
++    ERR_clear_error();
++
++    const char *conf_path = per_process::cli_options->openssl_config.c_str();
++    CONF_modules_load_file(conf_path, nullptr, CONF_MFLAGS_DEFAULT_SECTION);
++    auto err = ERR_get_error();
++    if (err != 0) {
++      fprintf(stderr, "openssl config failed: %s\n", ERR_error_string(err, nullptr));
++      CHECK_NE(err, 0);
++    }
++  }
++
++  // Initialize OpenSSL library
++  SSL_library_init();
++  OpenSSL_add_all_algorithms();
++  // Provide mutex array for OpenSSL
++  openssl_reset_locking();
++#else
+   OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
+ 
+   // --openssl-config=...
+diff --git a/src/node_crypto.h b/src/node_crypto.h
+index dbc46fbec8..d27125042b 100644
+--- a/src/node_crypto.h
++++ b/src/node_crypto.h
+@@ -183,6 +183,20 @@ class SecureContext final : public BaseObject {
+ 
+   SecureContext(Environment* env, v8::Local<v8::Object> wrap);
+   void Reset();
++
++#if OPENSSL_IS_LEGACY
++ private:
++  // Legacy OpenSSL does not store min-max allowed versions of SSL/TLS;
++  // instead it relies on flags and enabling/disabling specific versions.
++  //
++  // In order to provide enough information for *getting* the allowed
++  // versions last set, record the boundaries on our secure context.
++  int _min_proto_version = 0;
++  int _max_proto_version = 0;
++
++  /** Sync _{min,max}_proto_version to wrapped context. */
++  int _SyncMinMaxProto();
++#endif // OPENSSL_IS_LEGACY
+ };
+ 
+ // SSLWrap implicitly depends on the inheriting class' handle having an
+-- 
+2.26.2
+
diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
new file mode 100644
index 0000000..7319353
--- /dev/null
+++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
@@ -0,0 +1,354 @@
+From 86227ed377d723a157bcd95ffb39bc14900a8576 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Wed, 16 Sep 2020 12:49:21 +0200
+Subject: [PATCH] Disable unsupported OpenSSL features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- Disable no-certificate PSK authentication
+
+  There is no obvious way to reimplement it using only OpenSSL 1.0 public APIs.
+
+- Disable queries for standard cipher name
+
+  OpenSSL 1.0 does not record said names.
+
+- Remove ClientHello getters
+
+  The disabled functions internally use
+  `SSL_client_hello_get0_ext`/`SSL_client_hello_get0_ciphers`,
+  which are not available on legacy OpenSSL.
+  There may be another way to get to the same data,
+  but nothing jumps out in the OpenSSL 1.0.2 documentation.
+
+- Remove TLSv1.3 CLI options
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ doc/api/cli.md                                 | 18 ------------------
+ doc/api/tls.md                                 | 15 +++++++--------
+ src/env.h                                      | 11 ++++++++++-
+ src/node_crypto_common.cc                      | 12 ++++++++++++
+ src/node_crypto_common.h                       |  6 ++++++
+ src/node_options.cc                            | 10 +++++++++-
+ .../test-tls-cli-max-version-1.3.js            |  0
+ .../test-tls-cli-min-max-conflict.js           |  0
+ .../test-tls-cli-min-version-1.3.js            |  0
+ 9 files changed, 44 insertions(+), 28 deletions(-)
+ rename test/{parallel => known_issues}/test-tls-cli-max-version-1.3.js (100%)
+ rename test/{parallel => known_issues}/test-tls-cli-min-max-conflict.js (100%)
+ rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 0112319a3a..eb39adfd16 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -806,14 +806,6 @@ added:
+ Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
+ TLSv1.3.
+ 
+-### `--tls-max-v1.3`
+-<!-- YAML
+-added: v12.0.0
+--->
+-
+-Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
+-for TLSv1.3.
+-
+ ### `--tls-min-v1.0`
+ <!-- YAML
+ added:
+@@ -845,14 +837,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
+ 12.x and later, but the option is supported for compatibility with older Node.js
+ versions.
+ 
+-### `--tls-min-v1.3`
+-<!-- YAML
+-added: v12.0.0
+--->
+-
+-Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
+-for TLSv1.2, which is not as secure as TLSv1.3.
+-
+ ### `--trace-atomics-wait`
+ <!-- YAML
+ added: v14.3.0
+@@ -1270,11 +1254,9 @@ Node.js options that are allowed are:
+ * `--tls-cipher-list`
+ * `--tls-keylog`
+ * `--tls-max-v1.2`
+-* `--tls-max-v1.3`
+ * `--tls-min-v1.0`
+ * `--tls-min-v1.1`
+ * `--tls-min-v1.2`
+-* `--tls-min-v1.3`
+ * `--trace-atomics-wait`
+ * `--trace-deprecation`
+ * `--trace-event-categories`
+diff --git a/doc/api/tls.md b/doc/api/tls.md
+index a55847ec3c..16ed16ea09 100644
+--- a/doc/api/tls.md
++++ b/doc/api/tls.md
+@@ -1966,10 +1966,10 @@ added: v11.4.0
+ 
+ * {string} The default value of the `maxVersion` option of
+   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
+-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+-  **Default:** `'TLSv1.3'`, unless changed using CLI options. Using
+-  `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets
+-  the default to `'TLSv1.3'`. If multiple of the options are provided, the
++  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
++  **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
++  `--tls-max-v1.2` sets the default to `'TLSv1.2'`.
++  If multiple of the options are provided, the
+   highest maximum is used.
+ 
+ ## `tls.DEFAULT_MIN_VERSION`
+@@ -1979,12 +1979,11 @@ added: v11.4.0
+ 
+ * {string} The default value of the `minVersion` option of
+   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
+-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
++  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+   **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
+   `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
+-  the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
+-  `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
+-  used.
++  the default to `'TLSv1.1'`. If multiple of the options are provided,
++  the lowest minimum is used.
+ 
+ [Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
+ [DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
+diff --git a/src/env.h b/src/env.h
+index f89365a1aa..0ff62672bd 100644
+--- a/src/env.h
++++ b/src/env.h
+@@ -50,6 +50,8 @@
+ #include <unordered_set>
+ #include <vector>
+ 
++#include <node-ssl-shim/ssl-shim.h>
++
+ namespace node {
+ 
+ namespace contextify {
+@@ -141,6 +143,13 @@ constexpr size_t kFsStatsBufferLength =
+ // Make sure that any macro V defined for use with the PER_ISOLATE_* macros is
+ // undefined again after use.
+ 
++// Some symbols/strings are not defined when using legacy OpenSSL
++#if OPENSSL_IS_LEGACY
++#   define NODE_ENV_STANDARD_NAME_STRING
++#else // OPENSSL_IS_LEGACY
++#   define NODE_ENV_STANDARD_NAME_STRING V(standard_name_string, "standardName")
++#endif // OPENSSL_IS_LEGACY
++
+ // Private symbols are per-isolate primitives but Environment proxies them
+ // for the sake of convenience.  Strings should be ASCII-only and have a
+ // "node:" prefix to avoid name clashes with third-party code.
+@@ -361,7 +370,7 @@ constexpr size_t kFsStatsBufferLength =
+   V(sni_context_string, "sni_context")                                         \
+   V(source_string, "source")                                                   \
+   V(stack_string, "stack")                                                     \
+-  V(standard_name_string, "standardName")                                      \
++  NODE_ENV_STANDARD_NAME_STRING                                                \
+   V(start_time_string, "startTime")                                            \
+   V(status_string, "status")                                                   \
+   V(stdio_string, "stdio")                                                     \
+diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
+index da1033fdef..89f01990f0 100644
+--- a/src/node_crypto_common.cc
++++ b/src/node_crypto_common.cc
+@@ -211,6 +211,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
+   if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) {
+     X509_free(peer_cert);
+     err = SSL_get_verify_result(ssl.get());
++#if !OPENSSL_IS_LEGACY
+   } else {
+     const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get());
+     const SSL_SESSION* sess = SSL_get_session(ssl.get());
+@@ -222,6 +223,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
+          SSL_session_reused(ssl.get()))) {
+       return X509_V_OK;
+     }
++#endif // !OPENSSL_IS_LEGACY
+   }
+   return err;
+ }
+@@ -239,6 +241,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
+   return err;
+ }
+ 
++#if !OPENSSL_IS_LEGACY
+ const char* GetClientHelloALPN(const SSLPointer& ssl) {
+   const unsigned char* buf;
+   size_t len;
+@@ -285,6 +288,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
+     return nullptr;
+   return reinterpret_cast<const char*>(buf + 5);
+ }
++#endif // !OPENSSL_IS_LEGACY
+ 
+ const char* GetServerName(SSL* ssl) {
+   return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+@@ -398,11 +402,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
+   return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
+ }
+ 
++#if !OPENSSL_IS_LEGACY
+ MaybeLocal<Value> GetCipherStandardName(
+     Environment* env,
+     const SSL_CIPHER* cipher) {
+   return GetCipherValue(env, cipher, SSL_CIPHER_standard_name);
+ }
++#endif // !OPENSSL_IS_LEGACY
+ 
+ MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
+ #if OPENSSL_IS_LEGACY
+@@ -762,16 +768,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
+   return GetCipherName(env, SSL_get_current_cipher(ssl.get()));
+ }
+ 
++#if !OPENSSL_IS_LEGACY
+ MaybeLocal<Value> GetCipherStandardName(
+     Environment* env,
+     const SSLPointer& ssl) {
+   return GetCipherStandardName(env, SSL_get_current_cipher(ssl.get()));
+ }
++#endif // !OPENSSL_IS_LEGACY
+ 
+ MaybeLocal<Value> GetCipherVersion(Environment* env, const SSLPointer& ssl) {
+   return GetCipherVersion(env, SSL_get_current_cipher(ssl.get()));
+ }
+ 
++#if !OPENSSL_IS_LEGACY
+ MaybeLocal<Array> GetClientHelloCiphers(
+     Environment* env,
+     const SSLPointer& ssl) {
+@@ -804,6 +813,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
+   Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);
+   return scope.Escape(ret);
+ }
++#endif // !OPENSSL_IS_LEGACY
+ 
+ 
+ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
+@@ -814,10 +824,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
+                   info,
+                   env->name_string(),
+                   GetCipherName(env, ssl)) ||
++#if !OPENSSL_IS_LEGACY
+       !Set<Value>(env->context(),
+                   info,
+                   env->standard_name_string(),
+                   GetCipherStandardName(env, ssl)) ||
++#endif // !OPENSSL_IS_LEGACY
+       !Set<Value>(env->context(),
+                   info,
+                   env->version_string(),
+diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
+index c373a97e47..220cb109bc 100644
+--- a/src/node_crypto_common.h
++++ b/src/node_crypto_common.h
+@@ -73,15 +73,19 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
+ 
+ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
+ 
++#if !OPENSSL_IS_LEGACY
+ const char* GetClientHelloALPN(const SSLPointer& ssl);
+ 
+ const char* GetClientHelloServerName(const SSLPointer& ssl);
++#endif // !OPENSSL_IS_LEGACY
+ 
+ const char* GetServerName(SSL* ssl);
+ 
++#if !OPENSSL_IS_LEGACY
+ v8::MaybeLocal<v8::Array> GetClientHelloCiphers(
+     Environment* env,
+     const SSLPointer& ssl);
++#endif // !OPENSSL_IS_LEGACY
+ 
+ bool SetGroups(SecureContext* sc, const char* groups);
+ 
+@@ -97,9 +101,11 @@ v8::MaybeLocal<v8::Value> GetCipherName(
+     Environment* env,
+     const SSLPointer& ssl);
+ 
++#if !OPENSSL_IS_LEGACY
+ v8::MaybeLocal<v8::Value> GetCipherStandardName(
+     Environment* env,
+     const SSLPointer& ssl);
++#endif // !OPENSSL_IS_LEGACY
+ 
+ v8::MaybeLocal<v8::Value> GetCipherVersion(
+     Environment* env,
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 87f547da1d..da4a8cd56f 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -9,6 +9,8 @@
+ #include <sstream>
+ #include <cstdlib>  // strtoul, errno
+ 
++#include <node-ssl-shim/features.h>
++
+ using v8::Boolean;
+ using v8::Context;
+ using v8::FunctionCallbackInfo;
+@@ -113,10 +115,12 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
+     errors->push_back("invalid value for --unhandled-rejections");
+   }
+ 
++#if !OPENSSL_IS_LEGACY
+   if (tls_min_v1_3 && tls_max_v1_2) {
+     errors->push_back("either --tls-min-v1.3 or --tls-max-v1.2 can be "
+                       "used, not both");
+   }
++#endif // !OPENSSL_IS_LEGACY
+ 
+ #if HAVE_INSPECTOR
+   if (!cpu_prof) {
+@@ -523,14 +527,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+             "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
+             &EnvironmentOptions::tls_min_v1_2,
+             kAllowedInEnvironment);
++#if !OPENSSL_IS_LEGACY
+   AddOption("--tls-min-v1.3",
+             "set default TLS minimum to TLSv1.3 (default: TLSv1.2)",
+             &EnvironmentOptions::tls_min_v1_3,
+             kAllowedInEnvironment);
++#endif // !OPENSSL_IS_LEGACY
+   AddOption("--tls-max-v1.2",
+-            "set default TLS maximum to TLSv1.2 (default: TLSv1.3)",
++            "set default TLS maximum to TLSv1.2 (default: TLSv1.2)",
+             &EnvironmentOptions::tls_max_v1_2,
+             kAllowedInEnvironment);
++#if !OPENSSL_IS_LEGACY
+   // Current plan is:
+   // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
+   // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
+@@ -539,6 +546,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+             "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
+             &EnvironmentOptions::tls_max_v1_3,
+             kAllowedInEnvironment);
++#endif // !OPENSSL_IS_LEGACY
+ }
+ 
+ PerIsolateOptionsParser::PerIsolateOptionsParser(
+diff --git a/test/parallel/test-tls-cli-max-version-1.3.js b/test/known_issues/test-tls-cli-max-version-1.3.js
+similarity index 100%
+rename from test/parallel/test-tls-cli-max-version-1.3.js
+rename to test/known_issues/test-tls-cli-max-version-1.3.js
+diff --git a/test/parallel/test-tls-cli-min-max-conflict.js b/test/known_issues/test-tls-cli-min-max-conflict.js
+similarity index 100%
+rename from test/parallel/test-tls-cli-min-max-conflict.js
+rename to test/known_issues/test-tls-cli-min-max-conflict.js
+diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/known_issues/test-tls-cli-min-version-1.3.js
+similarity index 100%
+rename from test/parallel/test-tls-cli-min-version-1.3.js
+rename to test/known_issues/test-tls-cli-min-version-1.3.js
+-- 
+2.26.2
+
diff --git a/SOURCES/0005-Adjust-tests-expectations.patch b/SOURCES/0005-Adjust-tests-expectations.patch
new file mode 100644
index 0000000..10fccfd
--- /dev/null
+++ b/SOURCES/0005-Adjust-tests-expectations.patch
@@ -0,0 +1,256 @@
+From 6d75bbca77dead5af864e3ace591f882745eeb9e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Wed, 16 Sep 2020 12:49:56 +0200
+Subject: [PATCH] Adjust tests expectations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- Modify expected error messages
+
+- https-agent-create-connection: Establish secure connection
+
+- Add back workaround for OpenSSL 1.0
+
+  This reverts commit ba7551cad8abd2e460763b06efa4207be96a7a19.
+
+- tls-dhe: Do not hang on unexpected cipher
+
+- util-inspect: Adjust expected identification of external JSStream
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ test/parallel/test-crypto.js                  |  4 +-
+ .../test-https-agent-create-connection.js     |  2 +-
+ .../test-https-agent-session-eviction.js      | 42 +++++++++++++++----
+ test/parallel/test-tls-alert-handling.js      |  2 +-
+ test/parallel/test-tls-dhe.js                 |  5 ++-
+ test/parallel/test-tls-empty-sni-context.js   |  2 +-
+ test/parallel/test-tls-env-bad-extra-ca.js    |  2 +-
+ test/parallel/test-tls-min-max-version.js     | 15 ++++---
+ test/parallel/test-util-inspect.js            |  2 +-
+ 9 files changed, 55 insertions(+), 21 deletions(-)
+
+diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
+index 6b72dbd21c..b02e957efc 100644
+--- a/test/parallel/test-crypto.js
++++ b/test/parallel/test-crypto.js
+@@ -240,9 +240,9 @@ assert.throws(() => {
+ }, (err) => {
+   // Do the standard checks, but then do some custom checks afterwards.
+   assert.throws(() => { throw err; }, {
+-    message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag',
++    message: 'error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag',
+     library: 'asn1 encoding routines',
+-    function: 'asn1_check_tlen',
++    function: 'ASN1_CHECK_TLEN',
+     reason: 'wrong tag',
+     code: 'ERR_OSSL_ASN1_WRONG_TAG',
+   });
+diff --git a/test/parallel/test-https-agent-create-connection.js b/test/parallel/test-https-agent-create-connection.js
+index d4840298aa..dcd1927b57 100644
+--- a/test/parallel/test-https-agent-create-connection.js
++++ b/test/parallel/test-https-agent-create-connection.js
+@@ -145,7 +145,7 @@ function createServer() {
+     };
+ 
+     const socket = agent.createConnection(port, host, options);
+-    socket.on('connect', common.mustCall((data) => {
++    socket.on('secure', common.mustCall((data) => {
+       socket.end();
+     }));
+     socket.on('end', common.mustCall(() => {
+diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
+index 3f5cd36e8b..8e13b150bb 100644
+--- a/test/parallel/test-https-agent-session-eviction.js
++++ b/test/parallel/test-https-agent-session-eviction.js
+@@ -7,8 +7,10 @@ const { readKey } = require('../common/fixtures');
+ if (!common.hasCrypto)
+   common.skip('missing crypto');
+ 
++const assert = require('assert');
+ const https = require('https');
+-const { SSL_OP_NO_TICKET } = require('crypto').constants;
++const { OPENSSL_VERSION_NUMBER, SSL_OP_NO_TICKET } =
++    require('crypto').constants;
+ 
+ const options = {
+   key: readKey('agent1-key.pem'),
+@@ -58,12 +60,38 @@ function second(server, session) {
+     res.resume();
+   });
+ 
+-  // Although we have a TLS 1.2 session to offer to the TLS 1.0 server,
+-  // connection to the TLS 1.0 server should work.
+-  req.on('response', common.mustCall(function(res) {
+-    // The test is now complete for OpenSSL 1.1.0.
+-    server.close();
+-  }));
++  if (OPENSSL_VERSION_NUMBER >= 0x10100000) {
++    // Although we have a TLS 1.2 session to offer to the TLS 1.0 server,
++    // connection to the TLS 1.0 server should work.
++    req.on('response', common.mustCall(function(res) {
++      // The test is now complete for OpenSSL 1.1.0.
++      server.close();
++    }));
++  } else {
++    // OpenSSL 1.0.x mistakenly locked versions based on the session it was
++    // offering. This causes this sequent request to fail. Let it fail, but
++    // test that this is mitigated on the next try by invalidating the session.
++    req.on('error', common.mustCall(function(err) {
++      assert(/wrong version number/.test(err.message));
++
++      req.on('close', function() {
++        third(server);
++      });
++    }));
++  }
++  req.end();
++}
+ 
++// Try one more time - session should be evicted!
++function third(server) {
++  const req = https.request({
++    port: server.address().port,
++    rejectUnauthorized: false
++  }, function(res) {
++    res.resume();
++    assert(!req.socket.isSessionReused());
++    server.close();
++  });
++  req.on('error', common.mustNotCall());
+   req.end();
+ }
+diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
+index f9f42e2d51..9dc4637ff0 100644
+--- a/test/parallel/test-tls-alert-handling.js
++++ b/test/parallel/test-tls-alert-handling.js
+@@ -33,7 +33,7 @@ let iter = 0;
+ const errorHandler = common.mustCall((err) => {
+   assert.strictEqual(err.code, 'ERR_SSL_WRONG_VERSION_NUMBER');
+   assert.strictEqual(err.library, 'SSL routines');
+-  assert.strictEqual(err.function, 'ssl3_get_record');
++  assert.strictEqual(err.function, 'SSL3_GET_RECORD');
+   assert.strictEqual(err.reason, 'wrong version number');
+   errorReceived = true;
+   if (canCloseServer())
+diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js
+index ef645ce1b6..737330345b 100644
+--- a/test/parallel/test-tls-dhe.js
++++ b/test/parallel/test-tls-dhe.js
+@@ -81,8 +81,8 @@ function test(keylen, expectedCipher, cb) {
+       const reg = new RegExp(`Cipher    : ${expectedCipher}`);
+       if (reg.test(out)) {
+         nsuccess++;
+-        server.close();
+       }
++      server.close();
+     });
+   });
+ }
+@@ -104,6 +104,7 @@ function test2048() {
+ }
+ 
+ function testError() {
++  // this one fails
+   test('error', 'ECDHE-RSA-AES128-SHA256', test512);
+   ntests++;
+ }
+@@ -111,6 +112,6 @@ function testError() {
+ test1024();
+ 
+ process.on('exit', function() {
+-  assert.strictEqual(ntests, nsuccess);
++  assert.strictEqual(nsuccess, 2);
+   assert.strictEqual(ntests, 3);
+ });
+diff --git a/test/parallel/test-tls-empty-sni-context.js b/test/parallel/test-tls-empty-sni-context.js
+index 9b963e6629..fe8753c602 100644
+--- a/test/parallel/test-tls-empty-sni-context.js
++++ b/test/parallel/test-tls-empty-sni-context.js
+@@ -26,6 +26,6 @@ const server = tls.createServer(options, (c) => {
+   }, common.mustNotCall());
+ 
+   c.on('error', common.mustCall((err) => {
+-    assert(/Client network socket disconnected/.test(err.message));
++    assert(/Client network socket disconnected|handshake failure/.test(err.message));
+   }));
+ }));
+diff --git a/test/parallel/test-tls-env-bad-extra-ca.js b/test/parallel/test-tls-env-bad-extra-ca.js
+index 5ba1e227d2..0af6756dda 100644
+--- a/test/parallel/test-tls-env-bad-extra-ca.js
++++ b/test/parallel/test-tls-env-bad-extra-ca.js
+@@ -37,7 +37,7 @@ fork(__filename, opts)
+     // TODO(addaleax): Make `SafeGetenv` work like `process.env`
+     // encoding-wise
+     if (!common.isWindows) {
+-      const re = /Warning: Ignoring extra certs from.*no-such-file-exists-🐢.* load failed:.*No such file or directory/;
++      const re = /Warning: Ignoring extra certs from.*no-such-file-exists-🐢.* load failed:.*/;
+       assert(re.test(stderr), stderr);
+     }
+   }))
+diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
+index 7ef0f12426..4fcb9247d3 100644
+--- a/test/parallel/test-tls-min-max-version.js
++++ b/test/parallel/test-tls-min-max-version.js
+@@ -52,6 +52,11 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
+       }
+       if (serr) {
+         assert(pair.server.err);
++        // Accept these codes as aliases, the one reported depends on the
++        // OpenSSL version.
++        if (serr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' &&
++            pair.server.err.code === 'ERR_SSL_UNKNOWN_PROTOCOL')
++          serr = 'ERR_SSL_UNKNOWN_PROTOCOL';
+         assert.strictEqual(pair.server.err.code, serr);
+       }
+       return cleanup();
+@@ -131,9 +136,9 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
+   test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
+        U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
+   test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method',
+-       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+   test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
+-       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+ }
+ 
+ if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
+@@ -167,9 +172,9 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
+ 
+   if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
+     test(U, U, U, U, U, 'TLSv1_1_method',
+-         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+     test(U, U, U, U, U, 'TLSv1_method',
+-         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+   } else {
+     // TLS1.3 client hellos are are not understood by TLS1.1 or below.
+     test(U, U, U, U, U, 'TLSv1_1_method',
+@@ -188,7 +193,7 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
+ 
+   if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
+     test(U, U, U, U, U, 'TLSv1_method',
+-         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+   } else {
+     // TLS1.3 client hellos are are not understood by TLS1.1 or below.
+     test(U, U, U, U, U, 'TLSv1_method',
+diff --git a/test/parallel/test-util-inspect.js b/test/parallel/test-util-inspect.js
+index ffdf121dd5..6a2543e26a 100644
+--- a/test/parallel/test-util-inspect.js
++++ b/test/parallel/test-util-inspect.js
+@@ -148,7 +148,7 @@ assert.strictEqual(
+ );
+ 
+ assert.match(util.inspect((new JSStream())._externalStream),
+-             /^\[External: [0-9a-f]+\]$/);
++             /^(\[External: [0-9a-f]+\]|\[External\])$/);
+ 
+ {
+   const regexp = /regexp/;
+-- 
+2.26.2
+
diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
new file mode 100644
index 0000000..ab86965
--- /dev/null
+++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
@@ -0,0 +1,814 @@
+From b1994d6afd0c14ea5f06fb11a250f3d405c98724 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Wed, 16 Sep 2020 12:50:55 +0200
+Subject: [PATCH] Disable tests for unsupported features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- Remove tests relying on unsupported features
+
+  These test either test some unsupported algorithm itself,
+  or use fixtures/data created by such algorithm.
+  Either way, the legacy OpenSSL cannot deal with them.
+
+- Remove tests for TLSv1.3
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ lib/tls.js                                    |   8 +-
+ .../test-crypto-certificate.js                |   0
+ .../test-crypto-des3-wrap.js                  |   0
+ .../test-crypto-hash-stream-pipe.js           |   0
+ .../test-https-agent-keylog.js                |   0
+ .../test-tls-client-getephemeralkeyinfo.js    |   0
+ .../test-tls-client-renegotiation-13.js       |   0
+ .../test-tls-ecdh-auto.js                     |   0
+ .../test-tls-ecdh-multiple.js                 |   0
+ .../test-tls-ecdh.js                          |   0
+ .../test-tls-enable-keylog-cli.js             |   0
+ .../test-tls-keylog-tlsv13.js                 |   0
+ test/parallel/test-crypto-aes-wrap.js         |   6 +-
+ test/parallel/test-crypto-authenticated.js    |  17 +-
+ test/parallel/test-crypto-dh-stateless.js     |  17 --
+ test/parallel/test-crypto-hash.js             |  63 --------
+ test/parallel/test-crypto-key-objects.js      | 151 ------------------
+ test/parallel/test-crypto-keygen.js           |  51 ------
+ test/parallel/test-crypto-sign-verify.js      | 108 -------------
+ test/parallel/test-tls-cli-min-version-1.0.js |   2 +-
+ test/parallel/test-tls-cli-min-version-1.1.js |   2 +-
+ test/parallel/test-tls-cli-min-version-1.2.js |   2 +-
+ test/parallel/test-tls-destroy-stream.js      |   2 +-
+ test/parallel/test-tls-getcipher.js           |  22 ---
+ test/parallel/test-tls-min-max-version.js     |  19 +--
+ test/parallel/test-tls-psk-circuit.js         |   4 +-
+ 26 files changed, 33 insertions(+), 441 deletions(-)
+ rename test/{parallel => known_issues}/test-crypto-certificate.js (100%)
+ rename test/{parallel => known_issues}/test-crypto-des3-wrap.js (100%)
+ rename test/{parallel => known_issues}/test-crypto-hash-stream-pipe.js (100%)
+ rename test/{parallel => known_issues}/test-https-agent-keylog.js (100%)
+ rename test/{parallel => known_issues}/test-tls-client-getephemeralkeyinfo.js (100%)
+ rename test/{parallel => known_issues}/test-tls-client-renegotiation-13.js (100%)
+ rename test/{parallel => known_issues}/test-tls-ecdh-auto.js (100%)
+ rename test/{parallel => known_issues}/test-tls-ecdh-multiple.js (100%)
+ rename test/{parallel => known_issues}/test-tls-ecdh.js (100%)
+ rename test/{parallel => known_issues}/test-tls-enable-keylog-cli.js (100%)
+ rename test/{parallel => known_issues}/test-tls-keylog-tlsv13.js (100%)
+
+diff --git a/lib/tls.js b/lib/tls.js
+index a46031ad7d..50772f3d16 100644
+--- a/lib/tls.js
++++ b/lib/tls.js
+@@ -70,17 +70,13 @@ else if (getOptionValue('--tls-min-v1.1'))
+   exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
+ else if (getOptionValue('--tls-min-v1.2'))
+   exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
+-else if (getOptionValue('--tls-min-v1.3'))
+-  exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
+ else
+   exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
+ 
+-if (getOptionValue('--tls-max-v1.3'))
+-  exports.DEFAULT_MAX_VERSION = 'TLSv1.3';
+-else if (getOptionValue('--tls-max-v1.2'))
++if (getOptionValue('--tls-max-v1.2'))
+   exports.DEFAULT_MAX_VERSION = 'TLSv1.2';
+ else
+-  exports.DEFAULT_MAX_VERSION = 'TLSv1.3'; // Will depend on node version.
++  exports.DEFAULT_MAX_VERSION = 'TLSv1.2'; // Will depend on node version.
+ 
+ 
+ exports.getCiphers = internalUtil.cachedResult(
+diff --git a/test/parallel/test-crypto-certificate.js b/test/known_issues/test-crypto-certificate.js
+similarity index 100%
+rename from test/parallel/test-crypto-certificate.js
+rename to test/known_issues/test-crypto-certificate.js
+diff --git a/test/parallel/test-crypto-des3-wrap.js b/test/known_issues/test-crypto-des3-wrap.js
+similarity index 100%
+rename from test/parallel/test-crypto-des3-wrap.js
+rename to test/known_issues/test-crypto-des3-wrap.js
+diff --git a/test/parallel/test-crypto-hash-stream-pipe.js b/test/known_issues/test-crypto-hash-stream-pipe.js
+similarity index 100%
+rename from test/parallel/test-crypto-hash-stream-pipe.js
+rename to test/known_issues/test-crypto-hash-stream-pipe.js
+diff --git a/test/parallel/test-https-agent-keylog.js b/test/known_issues/test-https-agent-keylog.js
+similarity index 100%
+rename from test/parallel/test-https-agent-keylog.js
+rename to test/known_issues/test-https-agent-keylog.js
+diff --git a/test/parallel/test-tls-client-getephemeralkeyinfo.js b/test/known_issues/test-tls-client-getephemeralkeyinfo.js
+similarity index 100%
+rename from test/parallel/test-tls-client-getephemeralkeyinfo.js
+rename to test/known_issues/test-tls-client-getephemeralkeyinfo.js
+diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/known_issues/test-tls-client-renegotiation-13.js
+similarity index 100%
+rename from test/parallel/test-tls-client-renegotiation-13.js
+rename to test/known_issues/test-tls-client-renegotiation-13.js
+diff --git a/test/parallel/test-tls-ecdh-auto.js b/test/known_issues/test-tls-ecdh-auto.js
+similarity index 100%
+rename from test/parallel/test-tls-ecdh-auto.js
+rename to test/known_issues/test-tls-ecdh-auto.js
+diff --git a/test/parallel/test-tls-ecdh-multiple.js b/test/known_issues/test-tls-ecdh-multiple.js
+similarity index 100%
+rename from test/parallel/test-tls-ecdh-multiple.js
+rename to test/known_issues/test-tls-ecdh-multiple.js
+diff --git a/test/parallel/test-tls-ecdh.js b/test/known_issues/test-tls-ecdh.js
+similarity index 100%
+rename from test/parallel/test-tls-ecdh.js
+rename to test/known_issues/test-tls-ecdh.js
+diff --git a/test/parallel/test-tls-enable-keylog-cli.js b/test/known_issues/test-tls-enable-keylog-cli.js
+similarity index 100%
+rename from test/parallel/test-tls-enable-keylog-cli.js
+rename to test/known_issues/test-tls-enable-keylog-cli.js
+diff --git a/test/parallel/test-tls-keylog-tlsv13.js b/test/known_issues/test-tls-keylog-tlsv13.js
+similarity index 100%
+rename from test/parallel/test-tls-keylog-tlsv13.js
+rename to test/known_issues/test-tls-keylog-tlsv13.js
+diff --git a/test/parallel/test-crypto-aes-wrap.js b/test/parallel/test-crypto-aes-wrap.js
+index 6fe35258f7..7639ec632d 100644
+--- a/test/parallel/test-crypto-aes-wrap.js
++++ b/test/parallel/test-crypto-aes-wrap.js
+@@ -8,7 +8,7 @@ const crypto = require('crypto');
+ 
+ const test = [
+   {
+-    algorithm: 'aes128-wrap',
++    algorithm: 'id-aes128-wrap',
+     key: 'b26f309fbe57e9b3bb6ae5ef31d54450',
+     iv: '3fd838af4093d749',
+     text: '12345678123456781234567812345678'
+@@ -20,7 +20,7 @@ const test = [
+     text: '12345678123456781234567812345678123'
+   },
+   {
+-    algorithm: 'aes192-wrap',
++    algorithm: 'id-aes192-wrap',
+     key: '40978085d68091f7dfca0d7dfc7a5ee76d2cc7f2f345a304',
+     iv: '3fd838af4093d749',
+     text: '12345678123456781234567812345678'
+@@ -32,7 +32,7 @@ const test = [
+     text: '12345678123456781234567812345678123'
+   },
+   {
+-    algorithm: 'aes256-wrap',
++    algorithm: 'id-aes256-wrap',
+     key: '29c9eab5ed5ad44134a1437fe2e673b4d88a5b7c72e68454fea08721392b7323',
+     iv: '3fd838af4093d749',
+     text: '12345678123456781234567812345678'
+diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
+index 863907bafd..8c10b350c0 100644
+--- a/test/parallel/test-crypto-authenticated.js
++++ b/test/parallel/test-crypto-authenticated.js
+@@ -405,6 +405,11 @@ for (const test of TEST_CASES) {
+ // authentication tag has been specified.
+ {
+   for (const mode of ['ccm', 'ocb']) {
++    if (!ciphers.includes(`aes-256-${mode}`)) {
++      common.printSkipMessage(`unsupported aes-256-${mode} test`);
++      continue;
++    }
++
+     assert.throws(() => {
+       crypto.createCipheriv(`aes-256-${mode}`,
+                             'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+@@ -565,6 +570,11 @@ for (const test of TEST_CASES) {
+   const iv = Buffer.from('0123456789ab', 'utf8');
+ 
+   for (const mode of ['gcm', 'ocb']) {
++    if (!ciphers.includes(`aes-128-${mode}`)) {
++      common.printSkipMessage(`unsupported aes-128-${mode} test`);
++      continue;
++    }
++
+     for (const authTagLength of mode === 'gcm' ? [undefined, 8] : [8]) {
+       const cipher = crypto.createCipheriv(`aes-128-${mode}`, key, iv, {
+         authTagLength
+@@ -599,6 +609,11 @@ for (const test of TEST_CASES) {
+   const opts = { authTagLength: 8 };
+ 
+   for (const mode of ['gcm', 'ccm', 'ocb']) {
++    if (!ciphers.includes(`aes-128-${mode}`)) {
++      common.printSkipMessage(`unsupported aes-128-${mode} test`);
++      continue;
++    }
++
+     const cipher = crypto.createCipheriv(`aes-128-${mode}`, key, iv, opts);
+     const ciphertext = Buffer.concat([cipher.update(plain), cipher.final()]);
+     const tag = cipher.getAuthTag();
+@@ -659,7 +674,7 @@ for (const test of TEST_CASES) {
+       Buffer.from(valid.key, 'hex'),
+       Buffer.from(H(prefix) + valid.iv, 'hex'),
+       { authTagLength: valid.tag.length / 2 }
+-    ), errMessages.length, `iv length ${ivLength} was not rejected`);
++    ), /.*/, `iv length ${ivLength} was not rejected`);
+ 
+     function H(length) { return '00'.repeat(length); }
+   }
+diff --git a/test/parallel/test-crypto-dh-stateless.js b/test/parallel/test-crypto-dh-stateless.js
+index b01cea76b2..b91d15fcb5 100644
+--- a/test/parallel/test-crypto-dh-stateless.js
++++ b/test/parallel/test-crypto-dh-stateless.js
+@@ -204,20 +204,3 @@ assert.throws(() => {
+   name: 'Error',
+   code: 'ERR_OSSL_EVP_DIFFERENT_PARAMETERS'
+ });
+-
+-// Test ECDH-ES.
+-
+-test(crypto.generateKeyPairSync('x448'),
+-     crypto.generateKeyPairSync('x448'));
+-
+-test(crypto.generateKeyPairSync('x25519'),
+-     crypto.generateKeyPairSync('x25519'));
+-
+-assert.throws(() => {
+-  test(crypto.generateKeyPairSync('x448'),
+-       crypto.generateKeyPairSync('x25519'));
+-}, {
+-  name: 'Error',
+-  code: 'ERR_CRYPTO_INCOMPATIBLE_KEY',
+-  message: 'Incompatible key types for Diffie-Hellman: x448 and x25519'
+-});
+diff --git a/test/parallel/test-crypto-hash.js b/test/parallel/test-crypto-hash.js
+index f3f4df928c..e4db1ba88a 100644
+--- a/test/parallel/test-crypto-hash.js
++++ b/test/parallel/test-crypto-hash.js
+@@ -182,76 +182,13 @@ assert.throws(
+                                    ' when called without `new`');
+ }
+ 
+-// Test XOF hash functions and the outputLength option.
+ {
+-  // Default outputLengths.
+-  assert.strictEqual(crypto.createHash('shake128').digest('hex'),
+-                     '7f9c2ba4e88f827d616045507605853e');
+-  assert.strictEqual(crypto.createHash('shake128', null).digest('hex'),
+-                     '7f9c2ba4e88f827d616045507605853e');
+-  assert.strictEqual(crypto.createHash('shake256').digest('hex'),
+-                     '46b9dd2b0ba88d13233b3feb743eeb24' +
+-                     '3fcd52ea62b81b82b50c27646ed5762f');
+-  assert.strictEqual(crypto.createHash('shake256', { outputLength: 0 })
+-                           .copy()  // Default outputLength.
+-                           .digest('hex'),
+-                     '46b9dd2b0ba88d13233b3feb743eeb24' +
+-                     '3fcd52ea62b81b82b50c27646ed5762f');
+-
+-  // Short outputLengths.
+-  assert.strictEqual(crypto.createHash('shake128', { outputLength: 0 })
+-                           .digest('hex'),
+-                     '');
+-  assert.strictEqual(crypto.createHash('shake128', { outputLength: 5 })
+-                           .copy({ outputLength: 0 })
+-                           .digest('hex'),
+-                     '');
+-  assert.strictEqual(crypto.createHash('shake128', { outputLength: 5 })
+-                           .digest('hex'),
+-                     '7f9c2ba4e8');
+-  assert.strictEqual(crypto.createHash('shake128', { outputLength: 0 })
+-                           .copy({ outputLength: 5 })
+-                           .digest('hex'),
+-                     '7f9c2ba4e8');
+-  assert.strictEqual(crypto.createHash('shake128', { outputLength: 15 })
+-                           .digest('hex'),
+-                     '7f9c2ba4e88f827d61604550760585');
+-  assert.strictEqual(crypto.createHash('shake256', { outputLength: 16 })
+-                           .digest('hex'),
+-                     '46b9dd2b0ba88d13233b3feb743eeb24');
+-
+-  // Large outputLengths.
+-  assert.strictEqual(crypto.createHash('shake128', { outputLength: 128 })
+-                           .digest('hex'),
+-                     '7f9c2ba4e88f827d616045507605853e' +
+-                     'd73b8093f6efbc88eb1a6eacfa66ef26' +
+-                     '3cb1eea988004b93103cfb0aeefd2a68' +
+-                     '6e01fa4a58e8a3639ca8a1e3f9ae57e2' +
+-                     '35b8cc873c23dc62b8d260169afa2f75' +
+-                     'ab916a58d974918835d25e6a435085b2' +
+-                     'badfd6dfaac359a5efbb7bcc4b59d538' +
+-                     'df9a04302e10c8bc1cbf1a0b3a5120ea');
+-  const superLongHash = crypto.createHash('shake256', {
+-    outputLength: 1024 * 1024
+-  }).update('The message is shorter than the hash!')
+-    .digest('hex');
+-  assert.strictEqual(superLongHash.length, 2 * 1024 * 1024);
+-  assert.ok(superLongHash.endsWith('193414035ddba77bf7bba97981e656ec'));
+-  assert.ok(superLongHash.startsWith('a2a28dbc49cfd6e5d6ceea3d03e77748'));
+-
+   // Non-XOF hash functions should accept valid outputLength options as well.
+   assert.strictEqual(crypto.createHash('sha224', { outputLength: 28 })
+                            .digest('hex'),
+                      'd14a028c2a3a2bc9476102bb288234c4' +
+                      '15a2b01f828ea62ac5b3e42f');
+ 
+-  // Passing invalid sizes should throw during creation.
+-  assert.throws(() => {
+-    crypto.createHash('sha256', { outputLength: 28 });
+-  }, {
+-    code: 'ERR_OSSL_EVP_NOT_XOF_OR_INVALID_LENGTH'
+-  });
+-
+   for (const outputLength of [null, {}, 'foo', false]) {
+     assert.throws(() => crypto.createHash('sha256', { outputLength }),
+                   { code: 'ERR_INVALID_ARG_TYPE' });
+diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js
+index d3011db79d..644a52a1c7 100644
+--- a/test/parallel/test-crypto-key-objects.js
++++ b/test/parallel/test-crypto-key-objects.js
+@@ -242,18 +242,6 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+ }
+ 
+ [
+-  { private: fixtures.readKey('ed25519_private.pem', 'ascii'),
+-    public: fixtures.readKey('ed25519_public.pem', 'ascii'),
+-    keyType: 'ed25519' },
+-  { private: fixtures.readKey('ed448_private.pem', 'ascii'),
+-    public: fixtures.readKey('ed448_public.pem', 'ascii'),
+-    keyType: 'ed448' },
+-  { private: fixtures.readKey('x25519_private.pem', 'ascii'),
+-    public: fixtures.readKey('x25519_public.pem', 'ascii'),
+-    keyType: 'x25519' },
+-  { private: fixtures.readKey('x448_private.pem', 'ascii'),
+-    public: fixtures.readKey('x448_public.pem', 'ascii'),
+-    keyType: 'x448' },
+ ].forEach((info) => {
+   const keyType = info.keyType;
+ 
+@@ -323,145 +311,6 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+ 
+ }
+ 
+-{
+-  // Test RSA-PSS.
+-  {
+-    // This key pair does not restrict the message digest algorithm or salt
+-    // length.
+-    const publicPem = fixtures.readKey('rsa_pss_public_2048.pem');
+-    const privatePem = fixtures.readKey('rsa_pss_private_2048.pem');
+-
+-    const publicKey = createPublicKey(publicPem);
+-    const privateKey = createPrivateKey(privatePem);
+-
+-    assert.strictEqual(publicKey.type, 'public');
+-    assert.strictEqual(publicKey.asymmetricKeyType, 'rsa-pss');
+-
+-    assert.strictEqual(privateKey.type, 'private');
+-    assert.strictEqual(privateKey.asymmetricKeyType, 'rsa-pss');
+-
+-    for (const key of [privatePem, privateKey]) {
+-      // Any algorithm should work.
+-      for (const algo of ['sha1', 'sha256']) {
+-        // Any salt length should work.
+-        for (const saltLength of [undefined, 8, 10, 12, 16, 18, 20]) {
+-          const signature = createSign(algo)
+-                            .update('foo')
+-                            .sign({ key, saltLength });
+-
+-          for (const pkey of [key, publicKey, publicPem]) {
+-            const okay = createVerify(algo)
+-                         .update('foo')
+-                         .verify({ key: pkey, saltLength }, signature);
+-
+-            assert.ok(okay);
+-          }
+-        }
+-      }
+-    }
+-
+-    // Exporting the key using PKCS#1 should not work since this would discard
+-    // any algorithm restrictions.
+-    assert.throws(() => {
+-      publicKey.export({ format: 'pem', type: 'pkcs1' });
+-    }, {
+-      code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS'
+-    });
+-  }
+-
+-  {
+-    // This key pair enforces sha256 as the message digest and the MGF1
+-    // message digest and a salt length of at least 16 bytes.
+-    const publicPem =
+-      fixtures.readKey('rsa_pss_public_2048_sha256_sha256_16.pem');
+-    const privatePem =
+-      fixtures.readKey('rsa_pss_private_2048_sha256_sha256_16.pem');
+-
+-    const publicKey = createPublicKey(publicPem);
+-    const privateKey = createPrivateKey(privatePem);
+-
+-    assert.strictEqual(publicKey.type, 'public');
+-    assert.strictEqual(publicKey.asymmetricKeyType, 'rsa-pss');
+-
+-    assert.strictEqual(privateKey.type, 'private');
+-    assert.strictEqual(privateKey.asymmetricKeyType, 'rsa-pss');
+-
+-    for (const key of [privatePem, privateKey]) {
+-      // Signing with anything other than sha256 should fail.
+-      assert.throws(() => {
+-        createSign('sha1').sign(key);
+-      }, /digest not allowed/);
+-
+-      // Signing with salt lengths less than 16 bytes should fail.
+-      for (const saltLength of [8, 10, 12]) {
+-        assert.throws(() => {
+-          createSign('sha1').sign({ key, saltLength });
+-        }, /pss saltlen too small/);
+-      }
+-
+-      // Signing with sha256 and appropriate salt lengths should work.
+-      for (const saltLength of [undefined, 16, 18, 20]) {
+-        const signature = createSign('sha256')
+-                          .update('foo')
+-                          .sign({ key, saltLength });
+-
+-        for (const pkey of [key, publicKey, publicPem]) {
+-          const okay = createVerify('sha256')
+-                       .update('foo')
+-                       .verify({ key: pkey, saltLength }, signature);
+-
+-          assert.ok(okay);
+-        }
+-      }
+-    }
+-  }
+-
+-  {
+-    // This key enforces sha512 as the message digest and sha256 as the MGF1
+-    // message digest.
+-    const publicPem =
+-      fixtures.readKey('rsa_pss_public_2048_sha512_sha256_20.pem');
+-    const privatePem =
+-      fixtures.readKey('rsa_pss_private_2048_sha512_sha256_20.pem');
+-
+-    const publicKey = createPublicKey(publicPem);
+-    const privateKey = createPrivateKey(privatePem);
+-
+-    assert.strictEqual(publicKey.type, 'public');
+-    assert.strictEqual(publicKey.asymmetricKeyType, 'rsa-pss');
+-
+-    assert.strictEqual(privateKey.type, 'private');
+-    assert.strictEqual(privateKey.asymmetricKeyType, 'rsa-pss');
+-
+-    // Node.js usually uses the same hash function for the message and for MGF1.
+-    // However, when a different MGF1 message digest algorithm has been
+-    // specified as part of the key, it should automatically switch to that.
+-    // This behavior is required by sections 3.1 and 3.3 of RFC4055.
+-    for (const key of [privatePem, privateKey]) {
+-      // sha256 matches the MGF1 hash function and should be used internally,
+-      // but it should not be permitted as the main message digest algorithm.
+-      for (const algo of ['sha1', 'sha256']) {
+-        assert.throws(() => {
+-          createSign(algo).sign(key);
+-        }, /digest not allowed/);
+-      }
+-
+-      // sha512 should produce a valid signature.
+-      const signature = createSign('sha512')
+-                        .update('foo')
+-                        .sign(key);
+-
+-      for (const pkey of [key, publicKey, publicPem]) {
+-        const okay = createVerify('sha512')
+-                     .update('foo')
+-                     .verify(pkey, signature);
+-
+-        assert.ok(okay);
+-      }
+-    }
+-  }
+-}
+-
+ {
+   // Exporting an encrypted private key requires a cipher
+   const privateKey = createPrivateKey(privatePem);
+diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js
+index 384f4fa68a..38432254f0 100644
+--- a/test/parallel/test-crypto-keygen.js
++++ b/test/parallel/test-crypto-keygen.js
+@@ -265,42 +265,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+   }));
+ }
+ 
+-{
+-  // Test RSA-PSS.
+-  generateKeyPair('rsa-pss', {
+-    modulusLength: 512,
+-    saltLength: 16,
+-    hash: 'sha256',
+-    mgf1Hash: 'sha256'
+-  }, common.mustCall((err, publicKey, privateKey) => {
+-    assert.ifError(err);
+-
+-    assert.strictEqual(publicKey.type, 'public');
+-    assert.strictEqual(publicKey.asymmetricKeyType, 'rsa-pss');
+-
+-    assert.strictEqual(privateKey.type, 'private');
+-    assert.strictEqual(privateKey.asymmetricKeyType, 'rsa-pss');
+ 
+-    // Unlike RSA, RSA-PSS does not allow encryption.
+-    assert.throws(() => {
+-      testEncryptDecrypt(publicKey, privateKey);
+-    }, /operation not supported for this keytype/);
+-
+-    // RSA-PSS also does not permit signing with PKCS1 padding.
+-    assert.throws(() => {
+-      testSignVerify({
+-        key: publicKey,
+-        padding: constants.RSA_PKCS1_PADDING
+-      }, {
+-        key: privateKey,
+-        padding: constants.RSA_PKCS1_PADDING
+-      });
+-    }, /illegal or unsupported padding mode/);
+-
+-    // The padding should correctly default to RSA_PKCS1_PSS_PADDING now.
+-    testSignVerify(publicKey, privateKey);
+-  }));
+-}
+ 
+ {
+   const privateKeyEncoding = {
+@@ -975,22 +940,6 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+   }));
+ }
+ 
+-// Test EdDSA key generation.
+-{
+-  if (!/^1\.1\.0/.test(process.versions.openssl)) {
+-    ['ed25519', 'ed448', 'x25519', 'x448'].forEach((keyType) => {
+-      generateKeyPair(keyType, common.mustCall((err, publicKey, privateKey) => {
+-        assert.ifError(err);
+-
+-        assert.strictEqual(publicKey.type, 'public');
+-        assert.strictEqual(publicKey.asymmetricKeyType, keyType);
+-
+-        assert.strictEqual(privateKey.type, 'private');
+-        assert.strictEqual(privateKey.asymmetricKeyType, keyType);
+-      }));
+-    });
+-  }
+-}
+ 
+ // Test classic Diffie-Hellman key generation.
+ {
+diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
+index ff410dcf00..a7a293a740 100644
+--- a/test/parallel/test-crypto-sign-verify.js
++++ b/test/parallel/test-crypto-sign-verify.js
+@@ -425,14 +425,6 @@ assert.throws(
+ }
+ 
+ [
+-  { private: fixtures.readKey('ed25519_private.pem', 'ascii'),
+-    public: fixtures.readKey('ed25519_public.pem', 'ascii'),
+-    algo: null,
+-    sigLen: 64 },
+-  { private: fixtures.readKey('ed448_private.pem', 'ascii'),
+-    public: fixtures.readKey('ed448_public.pem', 'ascii'),
+-    algo: null,
+-    sigLen: 114 },
+   { private: fixtures.readKey('rsa_private_2048.pem', 'ascii'),
+     public: fixtures.readKey('rsa_public_2048.pem', 'ascii'),
+     algo: 'sha1',
+@@ -514,106 +506,6 @@ assert.throws(
+   assert.throws(() => crypto.verify(null, data, 'test', input), errObj);
+ });
+ 
+-{
+-  const data = Buffer.from('Hello world');
+-  const keys = [['ec-key.pem', 64], ['dsa_private_1025.pem', 40]];
+-
+-  for (const [file, length] of keys) {
+-    const privKey = fixtures.readKey(file);
+-    [
+-      crypto.createSign('sha1').update(data).sign(privKey),
+-      crypto.sign('sha1', data, privKey),
+-      crypto.sign('sha1', data, { key: privKey, dsaEncoding: 'der' })
+-    ].forEach((sig) => {
+-      // Signature length variability due to DER encoding
+-      assert(sig.length >= length + 4 && sig.length <= length + 8);
+-
+-      assert.strictEqual(
+-        crypto.createVerify('sha1').update(data).verify(privKey, sig),
+-        true
+-      );
+-      assert.strictEqual(crypto.verify('sha1', data, privKey, sig), true);
+-    });
+-
+-    // Test (EC)DSA signature conversion.
+-    const opts = { key: privKey, dsaEncoding: 'ieee-p1363' };
+-    let sig = crypto.sign('sha1', data, opts);
+-    // Unlike DER signatures, IEEE P1363 signatures have a predictable length.
+-    assert.strictEqual(sig.length, length);
+-    assert.strictEqual(crypto.verify('sha1', data, opts, sig), true);
+-    assert.strictEqual(crypto.createVerify('sha1')
+-                             .update(data)
+-                             .verify(opts, sig), true);
+-
+-    // Test invalid signature lengths.
+-    for (const i of [-2, -1, 1, 2, 4, 8]) {
+-      sig = crypto.randomBytes(length + i);
+-      assert.throws(() => {
+-        crypto.verify('sha1', data, opts, sig);
+-      }, {
+-        message: 'Malformed signature'
+-      });
+-    }
+-  }
+-
+-  // Test verifying externally signed messages.
+-  const extSig = Buffer.from('494c18ab5c8a62a72aea5041966902bcfa229821af2bf65' +
+-                             '0b5b4870d1fe6aebeaed9460c62210693b5b0a300033823' +
+-                             '33d9529c8abd8c5948940af944828be16c', 'hex');
+-  for (const ok of [true, false]) {
+-    assert.strictEqual(
+-      crypto.verify('sha256', data, {
+-        key: fixtures.readKey('ec-key.pem'),
+-        dsaEncoding: 'ieee-p1363'
+-      }, extSig),
+-      ok
+-    );
+-
+-    assert.strictEqual(
+-      crypto.createVerify('sha256').update(data).verify({
+-        key: fixtures.readKey('ec-key.pem'),
+-        dsaEncoding: 'ieee-p1363'
+-      }, extSig),
+-      ok
+-    );
+-
+-    extSig[Math.floor(Math.random() * extSig.length)] ^= 1;
+-  }
+-
+-  // Non-(EC)DSA keys should ignore the option.
+-  const sig = crypto.sign('sha1', data, {
+-    key: keyPem,
+-    dsaEncoding: 'ieee-p1363'
+-  });
+-  assert.strictEqual(crypto.verify('sha1', data, certPem, sig), true);
+-  assert.strictEqual(
+-    crypto.verify('sha1', data, {
+-      key: certPem,
+-      dsaEncoding: 'ieee-p1363'
+-    }, sig),
+-    true
+-  );
+-  assert.strictEqual(
+-    crypto.verify('sha1', data, {
+-      key: certPem,
+-      dsaEncoding: 'der'
+-    }, sig),
+-    true
+-  );
+-
+-  for (const dsaEncoding of ['foo', null, {}, 5, true, NaN]) {
+-    assert.throws(() => {
+-      crypto.sign('sha1', data, {
+-        key: certPem,
+-        dsaEncoding
+-      });
+-    }, {
+-      code: 'ERR_INVALID_OPT_VALUE'
+-    });
+-  }
+-}
+-
+-
+ // RSA-PSS Sign test by verifying with 'openssl dgst -verify'
+ // Note: this particular test *must* be the last in this file as it will exit
+ // early if no openssl binary is found
+diff --git a/test/parallel/test-tls-cli-min-version-1.0.js b/test/parallel/test-tls-cli-min-version-1.0.js
+index 577562782e..0a227c0b94 100644
+--- a/test/parallel/test-tls-cli-min-version-1.0.js
++++ b/test/parallel/test-tls-cli-min-version-1.0.js
+@@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto');
+ const assert = require('assert');
+ const tls = require('tls');
+ 
+-assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
++assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
+ assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1');
+ 
+ // Check the min-max version protocol versions against these CLI settings.
+diff --git a/test/parallel/test-tls-cli-min-version-1.1.js b/test/parallel/test-tls-cli-min-version-1.1.js
+index 3af2b39546..1219c82030 100644
+--- a/test/parallel/test-tls-cli-min-version-1.1.js
++++ b/test/parallel/test-tls-cli-min-version-1.1.js
+@@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto');
+ const assert = require('assert');
+ const tls = require('tls');
+ 
+-assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
++assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
+ assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.1');
+ 
+ // Check the min-max version protocol versions against these CLI settings.
+diff --git a/test/parallel/test-tls-cli-min-version-1.2.js b/test/parallel/test-tls-cli-min-version-1.2.js
+index 8385eabd0b..058dc180f6 100644
+--- a/test/parallel/test-tls-cli-min-version-1.2.js
++++ b/test/parallel/test-tls-cli-min-version-1.2.js
+@@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto');
+ const assert = require('assert');
+ const tls = require('tls');
+ 
+-assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
++assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
+ assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.2');
+ 
+ // Check the min-max version protocol versions against these CLI settings.
+diff --git a/test/parallel/test-tls-destroy-stream.js b/test/parallel/test-tls-destroy-stream.js
+index a49e985a7e..1964f676c2 100644
+--- a/test/parallel/test-tls-destroy-stream.js
++++ b/test/parallel/test-tls-destroy-stream.js
+@@ -9,7 +9,7 @@ const net = require('net');
+ const assert = require('assert');
+ const tls = require('tls');
+ 
+-tls.DEFAULT_MAX_VERSION = 'TLSv1.3';
++tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+ 
+ // This test ensures that an instance of StreamWrap should emit "end" and
+ // "close" when the socket on the other side call `destroy()` instead of
+diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
+index 744276aa59..47d3bbdd98 100644
+--- a/test/parallel/test-tls-getcipher.js
++++ b/test/parallel/test-tls-getcipher.js
+@@ -72,25 +72,3 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
+     this.end();
+   }));
+ }));
+-
+-tls.createServer({
+-  key: fixtures.readKey('agent2-key.pem'),
+-  cert: fixtures.readKey('agent2-cert.pem'),
+-  ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256',
+-  maxVersion: 'TLSv1.3',
+-}, common.mustCall(function() {
+-  this.close();
+-})).listen(0, common.mustCall(function() {
+-  const client = tls.connect({
+-    port: this.address().port,
+-    ciphers: 'TLS_AES_128_CCM_8_SHA256',
+-    maxVersion: 'TLSv1.3',
+-    rejectUnauthorized: false
+-  }, common.mustCall(() => {
+-    const cipher = client.getCipher();
+-    assert.strictEqual(cipher.name, 'TLS_AES_128_CCM_8_SHA256');
+-    assert.strictEqual(cipher.standardName, cipher.name);
+-    assert.strictEqual(cipher.version, 'TLSv1.3');
+-    client.end();
+-  }));
+-}));
+diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
+index 4fcb9247d3..085e123264 100644
+--- a/test/parallel/test-tls-min-max-version.js
++++ b/test/parallel/test-tls-min-max-version.js
+@@ -219,26 +219,19 @@ test(U, U, 'TLSv1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1');
+ test(U, U, 'TLSv1_1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.1');
+ test(U, U, 'TLSv1_2_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.2');
+ 
+-test('TLSv1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.1');
+ test('TLSv1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1');
+ test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1.1');
+-test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1.1');
+ test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1');
+ test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1', U, 'TLSv1');
+-test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1', U, 'TLSv1');
+ test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1');
+ test('TLSv1', 'TLSv1.2', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1');
+-test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.2');
+ 
+ // v-any client can connect to v-specific server
+-test('TLSv1', 'TLSv1.3', U, 'TLSv1.3', 'TLSv1.3', U, 'TLSv1.3');
+-test('TLSv1', 'TLSv1.3', U, 'TLSv1.2', 'TLSv1.3', U, 'TLSv1.3');
+-test('TLSv1', 'TLSv1.3', U, 'TLSv1.2', 'TLSv1.2', U, 'TLSv1.2');
+-test('TLSv1', 'TLSv1.3', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1');
+-test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1', U, 'TLSv1');
++test('TLSv1', 'TLSv1.2', U, 'TLSv1.2', 'TLSv1.2', U, 'TLSv1.2');
++test('TLSv1', 'TLSv1.2', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1');
++test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1', U, 'TLSv1');
+ 
+ // v-specific client can connect to v-any server
+-test('TLSv1.3', 'TLSv1.3', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.3');
+-test('TLSv1.2', 'TLSv1.2', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.2');
+-test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.1');
+-test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1');
++test('TLSv1.2', 'TLSv1.2', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.2');
++test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1');
++test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1');
+diff --git a/test/parallel/test-tls-psk-circuit.js b/test/parallel/test-tls-psk-circuit.js
+index 4bcdf36860..0642e18d5e 100644
+--- a/test/parallel/test-tls-psk-circuit.js
++++ b/test/parallel/test-tls-psk-circuit.js
+@@ -62,9 +62,9 @@ const DISCONNECT_MESSAGE =
+ 
+ test({ psk: USERS.UserA, identity: 'UserA' });
+ test({ psk: USERS.UserA, identity: 'UserA' }, { maxVersion: 'TLSv1.2' });
+-test({ psk: USERS.UserA, identity: 'UserA' }, { minVersion: 'TLSv1.3' });
++test({ psk: USERS.UserA, identity: 'UserA' }, { minVersion: 'TLSv1.2' });
+ test({ psk: USERS.UserB, identity: 'UserB' });
+-test({ psk: USERS.UserB, identity: 'UserB' }, { minVersion: 'TLSv1.3' });
++test({ psk: USERS.UserB, identity: 'UserB' }, { minVersion: 'TLSv1.2' });
+ // Unrecognized user should fail handshake
+ test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE);
+ // Recognized user but incorrect secret should fail handshake
+-- 
+2.26.2
+
diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch
new file mode 100644
index 0000000..929f62c
--- /dev/null
+++ b/SOURCES/0007-Disable-tests-for-known-issues.patch
@@ -0,0 +1,220 @@
+From 6c61519df159341a552e058acf8bc5755d5a6b46 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Wed, 16 Sep 2020 12:51:20 +0200
+Subject: [PATCH] Disable tests for known issues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- Disable tests failing with different kinds of errors than expected
+
+  For example, tests which are expected to emit
+  `ERR_SSL_UNSUPPORTED_PROTOCOL` but instead emit `ECONNRESET`.
+
+  It is unclear if this is error in RedHat patches or just behavioral
+  difference between OpenSSL versions.
+
+- Disable failing TLS tests
+
+  Cause of the failures here is not clear.
+  Further investigation may be in order.
+
+  See rhbz#1873155 for the related bug.
+
+- Disable failing async tests
+
+- Disable failing REPL tests
+
+- Disable test-http-keep-alive-timeout
+
+  The server is not sending 'Keep-Alive' header back for unknown reason
+
+- Disable test-http-parser-timeout-reset
+
+  The parser apparently timeouts even when it should not.
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ .../test-async-hooks-enable-before-promise-resolve.js         | 0
+ .../test-async-local-storage-deep-stack.js                    | 0
+ .../test-async-wrap-getasyncid.js                             | 0
+ test/{parallel => known_issues}/test-asyncresource-bind.js    | 0
+ .../test-http-keep-alive-timeout.js                           | 0
+ .../test-http-parser-timeout-reset.js                         | 0
+ .../test-repl-pretty-custom-stack.js                          | 0
+ test/{parallel => known_issues}/test-repl-pretty-stack.js     | 0
+ test/{parallel => known_issues}/test-repl.js                  | 0
+ .../test-tls-cli-max-version-1.2.js                           | 0
+ .../test-tls-cli-min-version-1.1.js                           | 0
+ .../test-tls-cli-min-version-1.2.js                           | 0
+ .../test-tls-exportkeyingmaterial.js                          | 0
+ test/{parallel => known_issues}/test-tls-getcipher.js         | 0
+ test/{parallel => known_issues}/test-tls-honorcipherorder.js  | 0
+ test/{parallel => known_issues}/test-tls-multi-key.js         | 0
+ test/{parallel => known_issues}/test-tls-multi-pfx.js         | 0
+ test/{parallel => known_issues}/test-tls-no-sslv3.js          | 0
+ test/{parallel => known_issues}/test-tls-psk-circuit.js       | 0
+ test/{sequential => known_issues}/test-tls-psk-client.js      | 0
+ test/{parallel => known_issues}/test-tls-psk-errors.js        | 0
+ .../test-tls-securepair-client.js                             | 0
+ .../test-tls-server-capture-rejection.js                      | 0
+ test/{sequential => known_issues}/test-tls-session-timeout.js | 0
+ test/{parallel => known_issues}/test-tls-set-ciphers-error.js | 0
+ test/{parallel => known_issues}/test-tls-set-ciphers.js       | 0
+ test/{parallel => known_issues}/test-tls-set-sigalgs.js       | 0
+ test/parallel/test-cli-node-options.js                        | 4 ----
+ 28 files changed, 4 deletions(-)
+ rename test/{parallel => known_issues}/test-async-hooks-enable-before-promise-resolve.js (100%)
+ rename test/{parallel => known_issues}/test-async-local-storage-deep-stack.js (100%)
+ rename test/{sequential => known_issues}/test-async-wrap-getasyncid.js (100%)
+ rename test/{parallel => known_issues}/test-asyncresource-bind.js (100%)
+ rename test/{parallel => known_issues}/test-http-keep-alive-timeout.js (100%)
+ rename test/{parallel => known_issues}/test-http-parser-timeout-reset.js (100%)
+ rename test/{parallel => known_issues}/test-repl-pretty-custom-stack.js (100%)
+ rename test/{parallel => known_issues}/test-repl-pretty-stack.js (100%)
+ rename test/{parallel => known_issues}/test-repl.js (100%)
+ rename test/{parallel => known_issues}/test-tls-cli-max-version-1.2.js (100%)
+ rename test/{parallel => known_issues}/test-tls-cli-min-version-1.1.js (100%)
+ rename test/{parallel => known_issues}/test-tls-cli-min-version-1.2.js (100%)
+ rename test/{parallel => known_issues}/test-tls-exportkeyingmaterial.js (100%)
+ rename test/{parallel => known_issues}/test-tls-getcipher.js (100%)
+ rename test/{parallel => known_issues}/test-tls-honorcipherorder.js (100%)
+ rename test/{parallel => known_issues}/test-tls-multi-key.js (100%)
+ rename test/{parallel => known_issues}/test-tls-multi-pfx.js (100%)
+ rename test/{parallel => known_issues}/test-tls-no-sslv3.js (100%)
+ rename test/{parallel => known_issues}/test-tls-psk-circuit.js (100%)
+ rename test/{sequential => known_issues}/test-tls-psk-client.js (100%)
+ rename test/{parallel => known_issues}/test-tls-psk-errors.js (100%)
+ rename test/{sequential => known_issues}/test-tls-securepair-client.js (100%)
+ rename test/{parallel => known_issues}/test-tls-server-capture-rejection.js (100%)
+ rename test/{sequential => known_issues}/test-tls-session-timeout.js (100%)
+ rename test/{parallel => known_issues}/test-tls-set-ciphers-error.js (100%)
+ rename test/{parallel => known_issues}/test-tls-set-ciphers.js (100%)
+ rename test/{parallel => known_issues}/test-tls-set-sigalgs.js (100%)
+
+diff --git a/test/parallel/test-async-hooks-enable-before-promise-resolve.js b/test/known_issues/test-async-hooks-enable-before-promise-resolve.js
+similarity index 100%
+rename from test/parallel/test-async-hooks-enable-before-promise-resolve.js
+rename to test/known_issues/test-async-hooks-enable-before-promise-resolve.js
+diff --git a/test/parallel/test-async-local-storage-deep-stack.js b/test/known_issues/test-async-local-storage-deep-stack.js
+similarity index 100%
+rename from test/parallel/test-async-local-storage-deep-stack.js
+rename to test/known_issues/test-async-local-storage-deep-stack.js
+diff --git a/test/sequential/test-async-wrap-getasyncid.js b/test/known_issues/test-async-wrap-getasyncid.js
+similarity index 100%
+rename from test/sequential/test-async-wrap-getasyncid.js
+rename to test/known_issues/test-async-wrap-getasyncid.js
+diff --git a/test/parallel/test-asyncresource-bind.js b/test/known_issues/test-asyncresource-bind.js
+similarity index 100%
+rename from test/parallel/test-asyncresource-bind.js
+rename to test/known_issues/test-asyncresource-bind.js
+diff --git a/test/parallel/test-http-keep-alive-timeout.js b/test/known_issues/test-http-keep-alive-timeout.js
+similarity index 100%
+rename from test/parallel/test-http-keep-alive-timeout.js
+rename to test/known_issues/test-http-keep-alive-timeout.js
+diff --git a/test/parallel/test-http-parser-timeout-reset.js b/test/known_issues/test-http-parser-timeout-reset.js
+similarity index 100%
+rename from test/parallel/test-http-parser-timeout-reset.js
+rename to test/known_issues/test-http-parser-timeout-reset.js
+diff --git a/test/parallel/test-repl-pretty-custom-stack.js b/test/known_issues/test-repl-pretty-custom-stack.js
+similarity index 100%
+rename from test/parallel/test-repl-pretty-custom-stack.js
+rename to test/known_issues/test-repl-pretty-custom-stack.js
+diff --git a/test/parallel/test-repl-pretty-stack.js b/test/known_issues/test-repl-pretty-stack.js
+similarity index 100%
+rename from test/parallel/test-repl-pretty-stack.js
+rename to test/known_issues/test-repl-pretty-stack.js
+diff --git a/test/parallel/test-repl.js b/test/known_issues/test-repl.js
+similarity index 100%
+rename from test/parallel/test-repl.js
+rename to test/known_issues/test-repl.js
+diff --git a/test/parallel/test-tls-cli-max-version-1.2.js b/test/known_issues/test-tls-cli-max-version-1.2.js
+similarity index 100%
+rename from test/parallel/test-tls-cli-max-version-1.2.js
+rename to test/known_issues/test-tls-cli-max-version-1.2.js
+diff --git a/test/parallel/test-tls-cli-min-version-1.1.js b/test/known_issues/test-tls-cli-min-version-1.1.js
+similarity index 100%
+rename from test/parallel/test-tls-cli-min-version-1.1.js
+rename to test/known_issues/test-tls-cli-min-version-1.1.js
+diff --git a/test/parallel/test-tls-cli-min-version-1.2.js b/test/known_issues/test-tls-cli-min-version-1.2.js
+similarity index 100%
+rename from test/parallel/test-tls-cli-min-version-1.2.js
+rename to test/known_issues/test-tls-cli-min-version-1.2.js
+diff --git a/test/parallel/test-tls-exportkeyingmaterial.js b/test/known_issues/test-tls-exportkeyingmaterial.js
+similarity index 100%
+rename from test/parallel/test-tls-exportkeyingmaterial.js
+rename to test/known_issues/test-tls-exportkeyingmaterial.js
+diff --git a/test/parallel/test-tls-getcipher.js b/test/known_issues/test-tls-getcipher.js
+similarity index 100%
+rename from test/parallel/test-tls-getcipher.js
+rename to test/known_issues/test-tls-getcipher.js
+diff --git a/test/parallel/test-tls-honorcipherorder.js b/test/known_issues/test-tls-honorcipherorder.js
+similarity index 100%
+rename from test/parallel/test-tls-honorcipherorder.js
+rename to test/known_issues/test-tls-honorcipherorder.js
+diff --git a/test/parallel/test-tls-multi-key.js b/test/known_issues/test-tls-multi-key.js
+similarity index 100%
+rename from test/parallel/test-tls-multi-key.js
+rename to test/known_issues/test-tls-multi-key.js
+diff --git a/test/parallel/test-tls-multi-pfx.js b/test/known_issues/test-tls-multi-pfx.js
+similarity index 100%
+rename from test/parallel/test-tls-multi-pfx.js
+rename to test/known_issues/test-tls-multi-pfx.js
+diff --git a/test/parallel/test-tls-no-sslv3.js b/test/known_issues/test-tls-no-sslv3.js
+similarity index 100%
+rename from test/parallel/test-tls-no-sslv3.js
+rename to test/known_issues/test-tls-no-sslv3.js
+diff --git a/test/parallel/test-tls-psk-circuit.js b/test/known_issues/test-tls-psk-circuit.js
+similarity index 100%
+rename from test/parallel/test-tls-psk-circuit.js
+rename to test/known_issues/test-tls-psk-circuit.js
+diff --git a/test/sequential/test-tls-psk-client.js b/test/known_issues/test-tls-psk-client.js
+similarity index 100%
+rename from test/sequential/test-tls-psk-client.js
+rename to test/known_issues/test-tls-psk-client.js
+diff --git a/test/parallel/test-tls-psk-errors.js b/test/known_issues/test-tls-psk-errors.js
+similarity index 100%
+rename from test/parallel/test-tls-psk-errors.js
+rename to test/known_issues/test-tls-psk-errors.js
+diff --git a/test/sequential/test-tls-securepair-client.js b/test/known_issues/test-tls-securepair-client.js
+similarity index 100%
+rename from test/sequential/test-tls-securepair-client.js
+rename to test/known_issues/test-tls-securepair-client.js
+diff --git a/test/parallel/test-tls-server-capture-rejection.js b/test/known_issues/test-tls-server-capture-rejection.js
+similarity index 100%
+rename from test/parallel/test-tls-server-capture-rejection.js
+rename to test/known_issues/test-tls-server-capture-rejection.js
+diff --git a/test/sequential/test-tls-session-timeout.js b/test/known_issues/test-tls-session-timeout.js
+similarity index 100%
+rename from test/sequential/test-tls-session-timeout.js
+rename to test/known_issues/test-tls-session-timeout.js
+diff --git a/test/parallel/test-tls-set-ciphers-error.js b/test/known_issues/test-tls-set-ciphers-error.js
+similarity index 100%
+rename from test/parallel/test-tls-set-ciphers-error.js
+rename to test/known_issues/test-tls-set-ciphers-error.js
+diff --git a/test/parallel/test-tls-set-ciphers.js b/test/known_issues/test-tls-set-ciphers.js
+similarity index 100%
+rename from test/parallel/test-tls-set-ciphers.js
+rename to test/known_issues/test-tls-set-ciphers.js
+diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/known_issues/test-tls-set-sigalgs.js
+similarity index 100%
+rename from test/parallel/test-tls-set-sigalgs.js
+rename to test/known_issues/test-tls-set-sigalgs.js
+diff --git a/test/parallel/test-cli-node-options.js b/test/parallel/test-cli-node-options.js
+index 8fb15d3ba5..2fc22ca477 100644
+--- a/test/parallel/test-cli-node-options.js
++++ b/test/parallel/test-cli-node-options.js
+@@ -78,10 +78,6 @@ expect('--stack-trace-limit=100',
+ if (!['arm', 'arm64'].includes(process.arch))
+   expect('--interpreted-frames-native-stack', 'B\n');
+ 
+-// Workers can't eval as ES Modules. https://github.com/nodejs/node/issues/30682
+-expectNoWorker('--input-type=module',
+-               'B\n', 'console.log(await "B")');
+-
+ function expectNoWorker(opt, want, command, wantsError) {
+   expect(opt, want, command, wantsError, false);
+ }
+-- 
+2.26.2
+
diff --git a/SOURCES/Make-icutrim.py-Python-2-compatible.patch b/SOURCES/Make-icutrim.py-Python-2-compatible.patch
new file mode 100644
index 0000000..0d851e0
--- /dev/null
+++ b/SOURCES/Make-icutrim.py-Python-2-compatible.patch
@@ -0,0 +1,26 @@
+From c3993b1bd0a1b20c40b35c332309307fea92895c Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 29 Jul 2020 10:44:45 +0200
+Subject: [PATCH] Make icutrim.py Python 2 compatible
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ tools/icu/icutrim.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/icu/icutrim.py b/tools/icu/icutrim.py
+index f857e73..9996038 100755
+--- a/tools/icu/icutrim.py
++++ b/tools/icu/icutrim.py
+@@ -316,7 +316,7 @@ def removeList(count=0):
+             erritems = fi.readlines()
+             fi.close()
+             #Item zone/zh_Hant_TW.res depends on missing item zone/zh_Hant.res
+-            pat = re.compile(bytes(r"^Item ([^ ]+) depends on missing item ([^ ]+).*", 'utf-8'))
++            pat = re.compile(r"^Item ([^ ]+) depends on missing item ([^ ]+).*".encode('utf-8'))
+             for i in range(len(erritems)):
+                 line = erritems[i].strip()
+                 m = pat.match(line)
+-- 
+2.26.2
+
diff --git a/SOURCES/deps-Remove-statx-from-libuv.patch b/SOURCES/deps-Remove-statx-from-libuv.patch
new file mode 100644
index 0000000..57de552
--- /dev/null
+++ b/SOURCES/deps-Remove-statx-from-libuv.patch
@@ -0,0 +1,238 @@
+From ba78c957478bdd5de98c6ad5d16eff9771275360 Mon Sep 17 00:00:00 2001
+From: Zuzana Svetlikova <zsvetlik@redhat.com>
+Date: Wed, 19 Feb 2020 10:32:33 +0000
+Subject: [PATCH] deps: Remove statx from libuv
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/uv/src/unix/fs.c             | 91 -------------------------------
+ deps/uv/src/unix/linux-syscalls.c | 32 -----------
+ deps/uv/src/unix/linux-syscalls.h | 35 ------------
+ 3 files changed, 158 deletions(-)
+
+diff --git a/deps/uv/src/unix/fs.c b/deps/uv/src/unix/fs.c
+index 87cb8b8..0a85307 100644
+--- a/deps/uv/src/unix/fs.c
++++ b/deps/uv/src/unix/fs.c
+@@ -1370,93 +1370,10 @@ static void uv__to_stat(struct stat* src, uv_stat_t* dst) {
+ }
+ 
+ 
+-static int uv__fs_statx(int fd,
+-                        const char* path,
+-                        int is_fstat,
+-                        int is_lstat,
+-                        uv_stat_t* buf) {
+-  STATIC_ASSERT(UV_ENOSYS != -1);
+-#ifdef __linux__
+-  static int no_statx;
+-  struct uv__statx statxbuf;
+-  int dirfd;
+-  int flags;
+-  int mode;
+-  int rc;
+-
+-  if (uv__load_relaxed(&no_statx))
+-    return UV_ENOSYS;
+-
+-  dirfd = AT_FDCWD;
+-  flags = 0; /* AT_STATX_SYNC_AS_STAT */
+-  mode = 0xFFF; /* STATX_BASIC_STATS + STATX_BTIME */
+-
+-  if (is_fstat) {
+-    dirfd = fd;
+-    flags |= 0x1000; /* AT_EMPTY_PATH */
+-  }
+-
+-  if (is_lstat)
+-    flags |= AT_SYMLINK_NOFOLLOW;
+-
+-  rc = uv__statx(dirfd, path, flags, mode, &statxbuf);
+-
+-  switch (rc) {
+-  case 0:
+-    break;
+-  case -1:
+-    /* EPERM happens when a seccomp filter rejects the system call.
+-     * Has been observed with libseccomp < 2.3.3 and docker < 18.04.
+-     */
+-    if (errno != EINVAL && errno != EPERM && errno != ENOSYS)
+-      return -1;
+-    /* Fall through. */
+-  default:
+-    /* Normally on success, zero is returned and On error, -1 is returned.
+-     * Observed on S390 RHEL running in a docker container with statx not
+-     * implemented, rc might return 1 with 0 set as the error code in which
+-     * case we return ENOSYS.
+-     */
+-    uv__store_relaxed(&no_statx, 1);
+-    return UV_ENOSYS;
+-  }
+-
+-  buf->st_dev = 256 * statxbuf.stx_dev_major + statxbuf.stx_dev_minor;
+-  buf->st_mode = statxbuf.stx_mode;
+-  buf->st_nlink = statxbuf.stx_nlink;
+-  buf->st_uid = statxbuf.stx_uid;
+-  buf->st_gid = statxbuf.stx_gid;
+-  buf->st_rdev = statxbuf.stx_rdev_major;
+-  buf->st_ino = statxbuf.stx_ino;
+-  buf->st_size = statxbuf.stx_size;
+-  buf->st_blksize = statxbuf.stx_blksize;
+-  buf->st_blocks = statxbuf.stx_blocks;
+-  buf->st_atim.tv_sec = statxbuf.stx_atime.tv_sec;
+-  buf->st_atim.tv_nsec = statxbuf.stx_atime.tv_nsec;
+-  buf->st_mtim.tv_sec = statxbuf.stx_mtime.tv_sec;
+-  buf->st_mtim.tv_nsec = statxbuf.stx_mtime.tv_nsec;
+-  buf->st_ctim.tv_sec = statxbuf.stx_ctime.tv_sec;
+-  buf->st_ctim.tv_nsec = statxbuf.stx_ctime.tv_nsec;
+-  buf->st_birthtim.tv_sec = statxbuf.stx_btime.tv_sec;
+-  buf->st_birthtim.tv_nsec = statxbuf.stx_btime.tv_nsec;
+-  buf->st_flags = 0;
+-  buf->st_gen = 0;
+-
+-  return 0;
+-#else
+-  return UV_ENOSYS;
+-#endif /* __linux__ */
+-}
+-
+-
+ static int uv__fs_stat(const char *path, uv_stat_t *buf) {
+   struct stat pbuf;
+   int ret;
+ 
+-  ret = uv__fs_statx(-1, path, /* is_fstat */ 0, /* is_lstat */ 0, buf);
+-  if (ret != UV_ENOSYS)
+-    return ret;
+-
+   ret = stat(path, &pbuf);
+   if (ret == 0)
+     uv__to_stat(&pbuf, buf);
+@@ -1469,10 +1386,6 @@ static int uv__fs_lstat(const char *path, uv_stat_t *buf) {
+   struct stat pbuf;
+   int ret;
+ 
+-  ret = uv__fs_statx(-1, path, /* is_fstat */ 0, /* is_lstat */ 1, buf);
+-  if (ret != UV_ENOSYS)
+-    return ret;
+-
+   ret = lstat(path, &pbuf);
+   if (ret == 0)
+     uv__to_stat(&pbuf, buf);
+@@ -1485,10 +1398,6 @@ static int uv__fs_fstat(int fd, uv_stat_t *buf) {
+   struct stat pbuf;
+   int ret;
+ 
+-  ret = uv__fs_statx(fd, "", /* is_fstat */ 1, /* is_lstat */ 0, buf);
+-  if (ret != UV_ENOSYS)
+-    return ret;
+-
+   ret = fstat(fd, &pbuf);
+   if (ret == 0)
+     uv__to_stat(&pbuf, buf);
+diff --git a/deps/uv/src/unix/linux-syscalls.c b/deps/uv/src/unix/linux-syscalls.c
+index 160056b..e41f8c9 100644
+--- a/deps/uv/src/unix/linux-syscalls.c
++++ b/deps/uv/src/unix/linux-syscalls.c
+@@ -112,22 +112,6 @@
+ # endif
+ #endif /* __NR_copy_file_range */
+ 
+-#ifndef __NR_statx
+-# if defined(__x86_64__)
+-#  define __NR_statx 332
+-# elif defined(__i386__)
+-#  define __NR_statx 383
+-# elif defined(__aarch64__)
+-#  define __NR_statx 397
+-# elif defined(__arm__)
+-#  define __NR_statx (UV_SYSCALL_BASE + 397)
+-# elif defined(__ppc__)
+-#  define __NR_statx 383
+-# elif defined(__s390__)
+-#  define __NR_statx 379
+-# endif
+-#endif /* __NR_statx */
+-
+ #ifndef __NR_getrandom
+ # if defined(__x86_64__)
+ #  define __NR_getrandom 318
+@@ -220,22 +204,6 @@ uv__fs_copy_file_range(int fd_in,
+ }
+ 
+ 
+-int uv__statx(int dirfd,
+-              const char* path,
+-              int flags,
+-              unsigned int mask,
+-              struct uv__statx* statxbuf) {
+-  /* __NR_statx make Android box killed by SIGSYS.
+-   * That looks like a seccomp2 sandbox filter rejecting the system call.
+-   */
+-#if defined(__NR_statx) && !defined(__ANDROID__)
+-  return syscall(__NR_statx, dirfd, path, flags, mask, statxbuf);
+-#else
+-  return errno = ENOSYS, -1;
+-#endif
+-}
+-
+-
+ ssize_t uv__getrandom(void* buf, size_t buflen, unsigned flags) {
+ #if defined(__NR_getrandom)
+   return syscall(__NR_getrandom, buf, buflen, flags);
+diff --git a/deps/uv/src/unix/linux-syscalls.h b/deps/uv/src/unix/linux-syscalls.h
+index 761ff32..5dcf3a3 100644
+--- a/deps/uv/src/unix/linux-syscalls.h
++++ b/deps/uv/src/unix/linux-syscalls.h
+@@ -31,36 +31,6 @@
+ #include <sys/time.h>
+ #include <sys/socket.h>
+ 
+-struct uv__statx_timestamp {
+-  int64_t tv_sec;
+-  uint32_t tv_nsec;
+-  int32_t unused0;
+-};
+-
+-struct uv__statx {
+-  uint32_t stx_mask;
+-  uint32_t stx_blksize;
+-  uint64_t stx_attributes;
+-  uint32_t stx_nlink;
+-  uint32_t stx_uid;
+-  uint32_t stx_gid;
+-  uint16_t stx_mode;
+-  uint16_t unused0;
+-  uint64_t stx_ino;
+-  uint64_t stx_size;
+-  uint64_t stx_blocks;
+-  uint64_t stx_attributes_mask;
+-  struct uv__statx_timestamp stx_atime;
+-  struct uv__statx_timestamp stx_btime;
+-  struct uv__statx_timestamp stx_ctime;
+-  struct uv__statx_timestamp stx_mtime;
+-  uint32_t stx_rdev_major;
+-  uint32_t stx_rdev_minor;
+-  uint32_t stx_dev_major;
+-  uint32_t stx_dev_minor;
+-  uint64_t unused1[14];
+-};
+-
+ ssize_t uv__preadv(int fd, const struct iovec *iov, int iovcnt, int64_t offset);
+ ssize_t uv__pwritev(int fd, const struct iovec *iov, int iovcnt, int64_t offset);
+ int uv__dup3(int oldfd, int newfd, int flags);
+@@ -71,11 +41,6 @@ uv__fs_copy_file_range(int fd_in,
+                        ssize_t* off_out,
+                        size_t len,
+                        unsigned int flags);
+-int uv__statx(int dirfd,
+-              const char* path,
+-              int flags,
+-              unsigned int mask,
+-              struct uv__statx* statxbuf);
+ ssize_t uv__getrandom(void* buf, size_t buflen, unsigned flags);
+ 
+ #endif /* UV_LINUX_SYSCALL_H_ */
+-- 
+2.26.2
+
diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh
new file mode 100755
index 0000000..e7e9613
--- /dev/null
+++ b/SOURCES/nodejs-tarball.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+version=$(rpm -q --specfile --qf='%{version}\n' nodejs.spec | head -n1)
+wget http://nodejs.org/dist/v${version}/node-v${version}.tar.gz
+tar -zxf node-v${version}.tar.gz
+rm -rf node-v${version}/deps/openssl
+tar -zcf node-v${version}-stripped.tar.gz node-v${version}
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
new file mode 100644
index 0000000..ff054ea
--- /dev/null
+++ b/SPECS/nodejs.spec
@@ -0,0 +1,921 @@
+%{?scl:%scl_package nodejs}
+%{!?scl:%global pkg_name %{name}}
+
+# Enable debug build
+%bcond_with debug
+# Enable bootstrapping – enabled by default
+%bcond_without bootstrap
+
+# When running parallel build, ld tends to run out of memory/be killed by signal 9
+# Put parallel compilation behind bcond for now
+%bcond_with parallel_build
+
+# ARM builds currently break on the Debug builds, so we'll just
+# build the standard runtime until that gets sorted out.
+%ifarch %{arm} aarch64 %{power64}
+%undefine with_debug
+%endif
+
+# == Node.js Version ==
+# Note: Fedora should only ship LTS versions of Node.js (currently expected
+# to be major versions with even numbers). The odd-numbered versions are new
+# feature releases that are only supported for nine months, which is shorter
+# than a Fedora release lifecycle.
+%global nodejs_major 14
+%global nodejs_minor 15
+%global nodejs_patch 0
+%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
+%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
+%global nodejs_release 1
+
+# == Bundled Dependency Versions ==
+# v8 - from deps/v8/include/v8-version.h
+%global v8_major 8
+%global v8_minor 4
+%global v8_build 371
+%global v8_patch 19
+# V8 presently breaks ABI at least every x.y release while never bumping SONAME
+%global v8_abi %{v8_major}.%{v8_minor}
+%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
+
+# c-ares - from deps/cares/include/ares_version.h
+%global c_ares_major 1
+%global c_ares_minor 16
+%global c_ares_patch 1
+%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
+
+# llhttp - from deps/llhttp/include/llhttp.h
+%global llhttp_major 2
+%global llhttp_minor 1
+%global llhttp_patch 3
+%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
+
+# libuv - from deps/uv/include/uv/version.h
+%global libuv_major 1
+%global libuv_minor 40
+%global libuv_patch 0
+%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
+
+# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
+
+%global nghttp2_major 1
+%global nghttp2_minor 41
+%global nghttp2_patch 0
+%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
+
+# punycode - from lib/punycode.js
+%global punycode_major 2
+%global punycode_minor 1
+%global punycode_patch 0
+%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
+
+# npm - from deps/npm/package.json
+%global npm_major 6
+%global npm_minor 14
+%global npm_patch 8
+%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
+
+# uvwasi - from deps/uvwasi/include/uvwasi.h
+%global uvwasi_major 0
+%global uvwasi_minor 0
+%global uvwasi_patch 11
+%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
+
+# zlib version - from deps/zlib/zlib.h
+# Note: Only required/bundled on RHEL-7
+%global zlib_major 1
+%global zlib_minor 2
+%global zlib_patch 11
+%global zlib_version %{zlib_major}.%{zlib_minor}.%{zlib_patch}
+
+# histogram_c - assumed from timestamps
+%global histogram_major 0
+%global histogram_minor 9
+%global histogram_patch 7
+%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
+
+# In order to avoid needing to keep incrementing the release version for the
+# main package forever, we will just construct one for npm that is guaranteed
+# to increment safely. Changing this can only be done during an update when the
+# base npm version number is increasing.
+%global npm_release %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
+
+# Filter out the NPM bundled dependencies so we aren't providing them
+%global __provides_exclude_from ^%{nodejs_sitelib}/npm/node_modules.*$
+%global __requires_exclude_from ^%{nodejs_sitelib}/npm/node_modules.*$
+
+
+Name: %{?scl_prefix}nodejs
+Version: %{nodejs_version}
+Release: %{nodejs_release}%{?dist}
+Summary: JavaScript runtime
+License: MIT and ASL 2.0 and ISC and BSD
+Group: Development/Languages
+URL: http://nodejs.org/
+
+# nodejs bundles openssl, but we use the system version in Fedora
+# because openssl contains prohibited code, we remove openssl completely from
+# the tarball, using the script in Source100
+Source0: node-v%{nodejs_version}-stripped.tar.gz
+Source100: %{pkg_name}-tarball.sh
+# Use separate shim library to smooth the rough edges of API incompatibility
+# between OpenSSL versions
+Source1: https://github.com/sclorg/node-ssl-shim/archive/6fc0b05d38215f1ea8b9b22c0131c9476628aef1/node-ssl-shim-6fc0b05.tar.gz
+
+# Patches for making nodejs compatible with older openssl
+# Squashed and exported from https://gitlab.cee.redhat.com/nodejs/node
+# – please submit changes to the appropriate branch there (redhat/%%{version}).
+Patch1: 0001-Link-with-ssl-shim.patch
+Patch2: 0002-Use-OpenSSL-1.0-API.patch
+Patch3: 0003-Backport-necessary-OpenSSL-features.patch
+Patch4: 0004-Disable-unsupported-OpenSSL-features.patch
+Patch5: 0005-Adjust-tests-expectations.patch
+Patch6: 0006-Disable-tests-for-unsupported-features.patch
+Patch7: 0007-Disable-tests-for-known-issues.patch
+
+# Remove libuv attempts to use statx syscall – rhbz#1760184
+Patch10: deps-Remove-statx-from-libuv.patch
+# Make icutrim work with python 2
+Patch11: Make-icutrim.py-Python-2-compatible.patch
+
+
+%{?scl:Requires: %{scl}-runtime}
+%{?scl:BuildRequires: %{scl}-runtime}
+BuildRequires: python-devel
+#BuildRequires: libicu-devel
+BuildRequires: zlib-devel
+BuildRequires: devtoolset-9-gcc
+BuildRequires: devtoolset-9-gcc-c++
+# needed for tests
+BuildRequires: procps-ng
+BuildRequires: systemtap-sdt-devel
+BuildRequires: chrpath
+BuildRequires: devtoolset-9-libatomic-devel
+
+
+BuildRequires: openssl-devel >= 1:1.0.2
+
+Requires: ca-certificates
+
+#we need ABI virtual provides where SONAMEs aren't enough/not present so deps
+#break when binary compatibility is broken
+Provides: %{?scl_prefix}nodejs(abi) = %{nodejs_abi}
+Provides: %{?scl_prefix}nodejs(abi%{nodejs_major}) = %{nodejs_abi}
+Provides: %{?scl_prefix}nodejs(v8-abi) = %{v8_abi}
+Provides: %{?scl_prefix}nodejs(v8-abi%{v8_major}) = %{v8_abi}
+
+#this corresponds to the "engine" requirement in package.json
+Provides: %{?scl_prefix}nodejs(engine) = %{nodejs_version}
+
+# Node.js currently has a conflict with the 'node' package in Fedora
+# The ham-radio group has agreed to rename their binary for us, but
+# in the meantime, we're setting an explicit Conflicts: here
+Conflicts: node <= 0.3.2-12
+
+# The punycode module was absorbed into the standard library in v0.6.
+# It still exists as a seperate package for the benefit of users of older
+# versions.  Since we've never shipped anything older than v0.10 in Fedora,
+# we don't need the seperate nodejs-punycode package, so we Provide it here so
+# dependent packages don't need to override the dependency generator.
+# See also: RHBZ#11511811
+# UPDATE: punycode will be deprecated and so we should unbundle it in Node v8
+# and use upstream module instead
+# https://github.com/nodejs/node/commit/29e49fc286080215031a81effbd59eac092fff2f
+Provides: %{?scl_prefix}nodejs-punycode = %{punycode_version}
+Provides: %{?scl_prefix}npm(punycode) = %{punycode_version}
+
+
+# Node.js has forked c-ares from upstream in an incompatible way, so we need
+# to carry the bundled version internally.
+# See https://github.com/nodejs/node/commit/766d063e0578c0f7758c3a965c971763f43fec85
+Provides: bundled(%{?scl_prefix}c-ares) = %{c_ares_version}
+
+# Node.js is closely tied to the version of v8 that is used with it. It makes
+# sense to use the bundled version because upstream consistently breaks ABI
+# even in point releases. Node.js upstream has now removed the ability to build
+# against a shared system version entirely.
+# See https://github.com/nodejs/node/commit/d726a177ed59c37cf5306983ed00ecd858cfbbef
+Provides: bundled(%{?scl_prefix}v8) = %{v8_version}
+
+# Node.js and http-parser share an upstream. The http-parser upstream does not
+# do releases often and is almost always far behind the bundled version
+Provides: bundled(%{?scl_prefix}llhttp) = %{llhttp_version}
+
+# We now bundle libuv in SCL too
+Provides: bundled(%{?scl_prefix}libuv) = %{libuv_version}
+
+# Node.js provides http2 support, but shared option is not yet available
+Provides: bundled(%{?scl_prefix}nghttp2) = %{nghttp2_version}
+
+# Bundle zlib on RHEL7, as the system version is too old
+Provides: bundled(%{?scl_prefix}zlib) = %{zlib_version}
+
+# Bundle uvwasi, since it is not available on RHEL7
+Provides: bundled(%{?scl_prefix}uvwasi) = %{uvwasi_version}
+
+Provides: bundled(%{?scl_prefix}histogram} = %{histogram_version}
+
+# Make sure we keep NPM up to date when we update Node.js
+Requires: %{?scl_prefix}npm = %{npm_version}-%{npm_release}%{?dist}
+
+%description
+Node.js is a platform built on Chrome's JavaScript runtime
+for easily building fast, scalable network applications.
+Node.js uses an event-driven, non-blocking I/O model that
+makes it lightweight and efficient, perfect for data-intensive
+real-time applications that run across distributed devices.
+
+
+%package devel
+Summary: JavaScript runtime - development headers
+Group: Development/Languages
+Requires: %{?scl_prefix}%{pkg_name}%{?_isa} = %{nodejs_version}-%{nodejs_release}%{?dist}
+Requires: openssl-devel%{?_isa}
+Requires: zlib-devel%{?_isa}
+Requires: %{?scl_prefix}runtime
+
+%if !%{with bootstrap}
+Requires: %{?scl_prefix}http-parser-devel%{?_isa}
+%endif
+
+
+%description devel
+Development headers for the Node.js JavaScript runtime.
+
+
+%package -n %{?scl_prefix}npm
+Summary: Node.js Package Manager
+Version: %{npm_version}
+Release: %{npm_release}%{?dist}
+
+# We used to ship npm separately, but it is so tightly integrated with Node.js
+# (and expected to be present on all Node.js systems) that we ship it bundled
+# now.
+Provides: %{?scl_prefix}npm = %{npm_version}
+Requires: %{?scl_prefix}nodejs = %{nodejs_version}-%{nodejs_release}%{?dist}
+
+
+%description -n %{?scl_prefix}npm
+npm is a package manager for node.js. You can use it to install and publish
+your node programs. It manages dependencies and does other cool stuff.
+
+
+%package docs
+Summary: Node.js API documentation
+Group: Documentation
+BuildArch: noarch
+
+%description docs
+The API documentation for the Node.js JavaScript runtime.
+
+
+%prep
+%autosetup -p1 -n node-v%{nodejs_version}
+
+# Add SSL shim files to dependencies
+tar -C deps/ -xzf "%{SOURCE1}" && mv deps/node-ssl-shim* deps/node-ssl-shim
+
+# fix file permissions on source and header files
+find deps/ -name '*.c' -o -name '*.h' -exec chmod 0644 '{}' +
+
+
+%build
+
+%{?scl:scl enable %{scl} devtoolset-9 - << \EOF}
+
+# _pkgdocdir does not support subpackage with different version
+%{?rhel7:%global _pkgdocdir %{_docdir}/%{name}-%{nodejs_version}}
+
+set -ex
+
+# Install ssl shim as bundled dependency
+%{make_install} -C deps/node-ssl-shim prefix=.
+
+# build with debugging symbols and add defines from libuv (#892601)
+# Node's v8 breaks with GCC 6 because of incorrect usage of methods on
+# NULL objects. We need to pass -fno-delete-null-pointer-checks
+extra_cflags=(
+    -g
+    -D_LARGEFILE_SOURCE
+    -D_FILE_OFFSET_BITS=64
+    -DZLIB_CONST
+    -fno-delete-null-pointer-checks
+)
+export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}"
+
+# This is not autotools, even if it resembles it
+./configure --prefix=%{_prefix} \
+    %{?with_debug:--debug} \
+    --with-dtrace --with-intl=small-icu \
+    --shared-openssl --openssl-use-def-ca-store --openssl-is-fips \
+    %{!?el7:--shared-zlib} \
+    %{!?with_bootstrap:--shared-http-parser} \
+    --debug-nghttp2
+
+%make_build %{!?with_parallel_build:-j1}
+
+%{?scl:EOF}
+
+
+%install
+./tools/install.py install %{buildroot} %{_prefix}
+
+# Set the binary permissions properly
+chmod 0755 %{buildroot}/%{_bindir}/node
+
+%if %{with debug}
+# Install the debug binary and set its permissions
+install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
+%endif
+
+# own the sitelib directory
+mkdir -p %{buildroot}%{nodejs_sitelib}
+
+#install documentation
+mkdir -p %{buildroot}%{_pkgdocdir}/html
+cp -pr doc/* %{buildroot}%{_pkgdocdir}/html
+rm -f %{buildroot}%{_pkgdocdir}/html/nodejs.1
+
+#node-gyp needs common.gypi too
+mkdir -p %{buildroot}%{_datadir}/node
+cp -p common.gypi %{buildroot}%{_datadir}/node
+
+# install NPM docs to mandir
+mkdir -p %{buildroot}%{_mandir} \
+         %{buildroot}%{_pkgdocdir}/npm
+
+cp -pr deps/npm/man/* %{buildroot}%{_mandir}/
+rm -rf %{buildroot}%{_prefix}/%{nodejs_sitelib}/npm/man
+ln -sf %{_mandir}  %{buildroot}%{nodejs_sitelib}/npm/man
+
+# Install Gatsby HTML documentation to %%{_pkgdocdir}
+cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
+rm -rf %{buildroot}%{nodejs_sitelib}/npm/docs
+
+ln -sf %{_pkgdocdir}/npm %{buildroot}%{nodejs_sitelib}/npm/docs
+
+# Install the GDB init tool into the documentation directory
+mv %{buildroot}/%{_datadir}/doc/node/gdbinit %{buildroot}/%{_pkgdocdir}/gdbinit
+
+# Node tries to install some python files into a documentation directory
+# (and not the proper one). Remove them for now until we figure out what to
+# do with them.
+rm -f %{buildroot}/%{_defaultdocdir}/node/lldb_commands.py \
+      %{buildroot}/%{_defaultdocdir}/node/lldbinit
+
+# Since the old version of NPM was unbundled, there are a lot of symlinks in
+# it's node_modules directory. We need to keep these as symlinks to ensure we
+# can backtrack on this if we decide to.
+
+# Rename the npm node_modules directory to node_modules.bundled
+mv %{buildroot}/%{nodejs_sitelib}/npm/node_modules \
+   %{buildroot}/%{nodejs_sitelib}/npm/node_modules.bundled
+
+# Recreate all the symlinks
+mkdir -p %{buildroot}/%{nodejs_sitelib}/npm/node_modules
+FILES=%{buildroot}/%{nodejs_sitelib}/npm/node_modules.bundled/*
+for f in $FILES
+do
+  module=`basename $f`
+  ln -s ../node_modules.bundled/$module %{buildroot}%{nodejs_sitelib}/npm/node_modules/$module
+done
+
+
+%check
+%{?scl:scl enable %{scl} devtoolset-9 - << \EOF}
+set -ex
+# Fail the build if the versions don't match
+%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
+%{buildroot}/%{_bindir}/node -e "require('assert').ok(process.versions.v8.startsWith('%{v8_version}'))"
+%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')"
+
+# Ensure we have punycode and that the version matches
+%{buildroot}/%{_bindir}/node -e "require('assert').equal(require('punycode').version, '%{punycode_version}')"
+
+# Ensure we have npm and that the version matches
+NODE_PATH=%{buildroot}%{nodejs_sitelib} %{buildroot}/%{_bindir}/node -e "require('assert').equal(require('npm').version, '%{npm_version}')"
+
+# Only run suites that we are expected to pass
+RUN_SUITES=(
+    abort
+    async-hooks
+    cctest
+    es-module
+    parallel
+    sequential
+)
+python2 tools/test.py "${RUN_SUITES[@]}" || :  # FIXME – disable all failing tests to catch new failures
+
+%{?scl:EOF}
+
+%files
+%{_bindir}/node
+%{_mandir}/man1/node.*
+%dir %{_pkgdocdir}
+%dir %{nodejs_sitelib}
+%dir %{_datadir}/node
+%dir %{_datadir}/systemtap
+%dir %{_datadir}/systemtap/tapset
+%{_datadir}/systemtap/tapset/node.stp
+
+%dir %{_prefix}/lib/dtrace
+%{_prefix}/lib/dtrace/node.d
+
+%license LICENSE
+%doc AUTHORS CHANGELOG.md onboarding.md GOVERNANCE.md README.md
+
+%files devel
+%if %{with debug}
+%{_bindir}/node_g
+%endif
+%{_includedir}/node
+%{_datadir}/node/common.gypi
+%{_pkgdocdir}/gdbinit
+
+%files -n %{?scl_prefix}npm
+%{_bindir}/npm
+%{_bindir}/npx
+%{nodejs_sitelib}/npm
+%ghost %{_sysconfdir}/npmrc
+%ghost %{_sysconfdir}/npmignore
+%doc %{_mandir}/man1/npm*.1*
+%doc %{_mandir}/man1/npx.1*
+%doc %{_mandir}/man5/folders.5*
+%doc %{_mandir}/man5/install.5*
+%doc %{_mandir}/man5/npmrc.5*
+%doc %{_mandir}/man5/package-json.5*
+%doc %{_mandir}/man5/package-lock-json.5*
+%doc %{_mandir}/man5/package-locks.5*
+%doc %{_mandir}/man5/shrinkwrap-json.5*
+%doc %{_mandir}/man7/config.7*
+%doc %{_mandir}/man7/developers.7*
+%doc %{_mandir}/man7/disputes.7*
+%doc %{_mandir}/man7/orgs.7*
+%doc %{_mandir}/man7/registry.7*
+%doc %{_mandir}/man7/removal.7*
+%doc %{_mandir}/man7/scope.7*
+%doc %{_mandir}/man7/scripts.7*
+%doc %{_mandir}/man7/semver.7*
+
+
+%files docs
+%dir %{_pkgdocdir}
+%{_pkgdocdir}/html
+%{_pkgdocdir}/npm/docs
+
+
+%changelog
+* Thu Oct 29 2020 Jan Staněk <jstanek@redhat.com> - 14.15.0-1
+- Rebase to 14.15.0
+
+* Wed Sep 16 2020 Jan Staněk <jstanek@redhat.com> - 14.11.0-1
+- Rebase to 14.11.0
+
+* Thu Aug 27 2020 Jan Staněk <jstanek@redhat.com> - 14.8.0-1
+- Rebase to 14.8.0
+- Enable FIPS when building (--openssl-is-fips)
+
+* Wed Jul 29 2020 Jan Staněk <jstanek@redhat.com> - 14.6.0-1
+- Rebase to 14.6.0
+
+* Tue Jun 30 2020 Jan Staněk <jstanek@redhat.com> - 12.18.2-1
+- Rebase to 12.18.2
+
+* Wed Jun 24 2020 Jan Staněk <jstanek@redhat.com> - 12.18.1-1
+- Rebase to 12.18.1
+- Use devtoolset-9
+
+* Wed Feb 19 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 12.16.1
+- Resolves: RHBZ#1800404, RHBZ#1800403, RHBZ#1800378, RHBZ#1774113
+- Resolves: RHBZ#1803154, RHBZ#1803157, RHBZ#1803160 (nmp CVEs)
+- also 1793482
+- use devtoolset-8, build with -j4
+- added uvwasi bundled dependency
+- revert more features #23188, #30637, #29598, #29292, #29489, #30055, #30053
+
+* Thu Jan 16 2020 Jan Staněk <jstanek@redhat.com> - 12.14.1-1
+- Rebase to 12.14.1
+
+* Thu Nov 14 2019 Jan Staněk <jstanek@redhat.com> - 12.10.0-4
+- Patch more OpenSSL features
+- Adjust test suite to (mostly) pass without patched OpenSSL features
+
+* Thu Oct 10 2019 Jan Staněk <jstanek@redhat.com> - 12.10.0-3
+- Revert statx utilization in libuv to workaround s390x container issue
+- Resolves: rhbz#1760184
+
+* Sat Oct 05 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 12.10.0-2
+- Add some missing flags, merge patches into one
+
+* Sat Oct 05 2019 Honza Horak <hhorak@redhat.com> - 12.10.0-1.1
+- Rebase to 12.10.0 and apply patches for openssl compatibility
+  (patches prepared by Zuzana and Jan)
+
+* Tue Aug 13 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 12.8.0-1
+- Resolves: RHBZ#1717846
+- update to v12.x
+- build without crypto for now
+
+* Thu Apr 04 2019 Jan Staněk <jstanek@redhat.com> - 10.10.0-3
+- Rebuild with bundled zlib
+- Resolves: rhbz#1677710
+
+* Wed Oct 31 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 10.10.0-2
+- Resolves: RHBZ#1584252
+- comment out native.req file to prevent conflict with other Node.js
+- installations (rhbz#1637922)
+
+* Fri Sep 14 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 10.10.0-1
+- rebase to v10.10.0
+- update patches for openssl
+- TODO: remove useless comments, fix failing tests, update bundled provides
+
+* Thu Jul 19 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 10.1.0-1
+- Initial v10 packaging
+- patch crypto/openssl 1.1.0 -> 1.0.2
+- remove scl prefixes from bundled dependencies
+- TODO: update patches and dependencies
+
+* Tue Feb 06 2018 Zuzana Svetlikova <zsvtelik@redhat.com> - 8.9.4-2
+- Resolves: RHBZ#1513560 #1542079
+- fix outdated minizlib dependency in npm node_modules tree
+- https://github.com/nodejs/node/pull/16509
+
+* Mon Jan 15 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.9.4-1
+- Resolves: RHBZ#1513560
+- rebase to LTS
+
+* Wed Sep 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.6.0-1
+- Resolves: RHBZ#1490389
+- Update, v8.5.0 contains a CVE
+
+* Thu Sep 21 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.5.0-1
+- Resolves: RHBZ#1490389
+- Update to latest version, bundle nghttp2
+
+* Thu Aug 10 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.3.0-2
+- Handle failing test in better manner
+- run more tests
+
+* Thu Aug 10 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.3.0-1
+- Update to 8.3.0
+- update V8 to 6.0
+- update libuv to 1.13.1
+- add bundled provides for npm modules
+- enable aarch64 builds
+
+* Mon Jul 24 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.2.1-1
+- Update to 8.2.1
+- update npm to 5.3.0, add npx command
+
+* Wed Jul 12 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.1.4-1
+- Security update (https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/)
+- Fixes RHBZ#1463132 and RHBZ#1469706
+
+* Wed Jun 28 2017 Joe Orton <jorton@redhat.com> - 8.1.2-7
+- disable debug build on aarch64
+
+* Wed Jun 28 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.1.2-6
+- Build aarm64 without icu
+- switch to dts 7
+
+* Tue Jun 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.1.2-5
+- Switch to DTS
+
+* Tue Jun 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.1.2-4
+- Add %%BuildArch
+
+* Sat Jun 24 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.1.2-3
+- Patch CVE-2017-1000381
+
+* Fri Jun 23 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.1.2-2
+- some clean up after fedora
+
+* Mon Jun 19 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 8.1.2-1
+- Initial v8.x build, npm@5.0.3
+- remove merged certs patch
+- build with updated system openssl
+- use fedora-style packaging, bundle npm and dependencies
+- bootstrap is modularity conditional to bundle http-parser
+- missing from base-runtime/shared-userspace
+- RHSCL 3.0 should be built for more arches
+
+* Wed Jan 11 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.9.1-2
+- Rebuild from zvetlik/rh-nodejs6
+- newer releases have problems with debug
+- add procps-ng for tests
+- remove unused patches
+
+* Thu Nov 03 2016 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.9.1-1
+- Update to 6.9.1
+
+* Wed Oct 19 2016 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.9.0-1
+- update to v6.9.0 LTS
+
+* Tue Oct 04 2016 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.7.0-5
+- Disable failing crypto tests
+
+* Tue Oct 04 2016 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.7.0-4
+- Require openssl
+
+* Tue Oct 04 2016 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.7.0-2
+- Build with shared openssl with EPEL7 patch
+
+* Mon Oct 03 2016 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.7.0-1
+- Update to 6.7.0
+
+* Wed Aug 31 2016 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.5.0-1
+- Update to 6.5.0, meanwhile built with bundled openssl
+- update system-certs patch
+
+* Wed Apr 06 2016 Tomas Hrcka <thrcka@redhat.com> - 4.4.2-1
+- Rebase to latest upstream LTS release 4.4.2
+- https://nodejs.org/en/blog/release/v4.4.1/
+
+* Tue Apr 05 2016 Tomas Hrcka <thrcka@redhat.com> - 4.4.1-2
+- Rebase to latest upstream LTS release 4.4.1
+- https://nodejs.org/en/blog/release/v4.4.1/
+
+* Thu Mar 17 2016 Tomas Hrcka <thrcka@redhat.com> - 4.4.0-1
+- Rebase to latest upstream LTS release 4.4.0
+
+* Tue Mar 01 2016 Tomas Hrcka <thrcka@redhat.com> - 4.3.0-5
+- New upstream release 4.3.0
+- https://nodejs.org/en/blog/release/v4.3.0/
+- Build with bundled openssl, this will be reverted ASAP
+- Unbundled http-parser
+
+* Thu Jul 16 2015 Tomas Hrcka <thrcka@redhat.com> - 0.10.40-1
+- Rebase to latest upstream release
+
+* Wed Jul 01 2015 Tomas Hrcka <thrcka@redhat.com> - 0.10.39-1
+- Rebase to latest upstream release
+
+* Wed Mar 25 2015 Tomas Hrcka <thrcka@redhat.com> - 0.10.35-4
+- Enable tests during build time
+
+* Tue Mar 17 2015 Tomas Hrcka <thrcka@redhat.com> - 0.10.35-2
+- Reflect dependency on specific ABI changes in v8
+- RHBZ#1197110
+
+* Wed Jan 07 2015 Tomas Hrcka <thrcka@redhat.com> - 0.10.35-1
+- New upstream release 0.10.35
+
+* Sun Feb 02 2014 Tomas Hrcka <thrcka@redhat.com> - 0.10.25-1
+- New upstream release 0.10.25
+
+* Tue Jan 14 2014 Tomas Hrcka <thrcka@redhat.com> - 0.10.24-1
+- new upstream release 0.10.24
+
+* Tue Nov 26 2013 Tomas Hrcka <thrcka@redhat.com> - 0.10.21-3
+- rebuilt with v8314 collection
+
+* Tue Nov 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.22-1
+- new upstream release 0.10.22
+  http://blog.nodejs.org/2013/11/12/node-v0-10-22-stable/
+
+* Mon Oct 21 2013 Tomas Hrcka <thrcka@redhat.com> - 0.10.21-2
+- Build with system wide c-ares
+
+* Fri Oct 18 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.21-1
+- new upstream release 0.10.21
+  http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
+- resolves an undisclosed security vulnerability in the http module
+
+* Tue Oct 01 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.20-1
+- new upstream release 0.10.20
+  http://blog.nodejs.org/2013/09/30/node-v0-10-20-stable/
+
+* Wed Sep 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.19-1
+- new upstream release 0.10.19
+  http://blog.nodejs.org/2013/09/24/node-v0-10-19-stable/
+
+* Fri Sep 06 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.18-1
+- new upstream release 0.10.18
+  http://blog.nodejs.org/2013/09/04/node-v0-10-18-stable/
+
+* Tue Aug 27 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.17-1
+- new upstream release 0.10.17
+  http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
+
+* Sat Aug 17 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.16-1
+- new upstream release 0.10.16
+  http://blog.nodejs.org/2013/08/16/node-v0-10-16-stable/
+- add v8-devel to -devel Requires
+- restrict -devel Requires to the same architecture
+
+* Wed Aug 14 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.14-3
+- fix typo in _isa macro in v8 Requires
+
+* Wed Aug 07 2013 Tomas Hrcka <thrcka@redhat.com> - 0.10.5-6
+ - Remove badly licensed fonts in script instead of patch
+
+* Thu Jul 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.14-1
+- new upstream release 0.10.14
+  http://blog.nodejs.org/2013/07/25/node-v0-10-14-stable/
+
+* Wed Jul 10 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.13-1
+- new upstream release 0.10.13
+  http://blog.nodejs.org/2013/07/09/node-v0-10-13-stable/
+- remove RPM macros, etc. now that they've migrated to nodejs-packaging
+
+* Wed Jun 19 2013 Tomas Hrcka <thrcka@redhat.com> - 0.10.5-5
+ - added patch to remove badly licensed web fonts
+
+* Wed Jun 19 2013 Tomas Hrcka <thrcka@redhat.com> - 0.10.5-5
+ - added patch to remove badly licensed web fonts
+
+* Wed Jun 19 2013 Tomas Hrcka <thrcka@redhat.com> - 0.10.5-4
+  - strip openssl from the tarball it contains prohibited code (RHBZ#967736)
+  - patch makefile so it do not use bundled deps
+  - new stripped tarball
+
+* Wed Jun 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.12-1
+- new upstream release 0.10.12
+  http://blog.nodejs.org/2013/06/18/node-v0-10-12-stable/
+- split off a -packaging subpackage with RPM macros, etc.
+- build -docs as noarch
+- copy mutiple version logic from nodejs-packaging SRPM for now
+
+* Fri May 31 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.9-1
+- new upstream release 0.10.9
+  http://blog.nodejs.org/2013/05/30/node-v0-10-9-stable/
+
+* Wed May 29 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.8-1
+- new upstream release 0.10.8
+  http://blog.nodejs.org/2013/05/24/node-v0-10-8-stable/
+
+* Wed May 29 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.7-1
+- new upstream release 0.10.7
+  http://blog.nodejs.org/2013/05/17/node-v0-10-7-stable/
+- strip openssl from the tarball; it contains prohibited code (RHBZ#967736)
+- patch Makefile so we can just remove all bundled deps completely
+
+* Wed May 15 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.6-1
+- new upstream release 0.10.6
+  http://blog.nodejs.org/2013/05/14/node-v0-10-6-stable/
+
+* Tue May 14 2013 Tomas Hrcka <thrcka@redhat.com> - 0.10.5-3.1
+ - updated to latest upstream stable release
+
+* Mon May 06 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.5-3
+- nodejs-fixdep: work properly when a package has no dependencies
+
+* Mon Apr 29 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.5-2
+- nodejs-symlink-deps: make it work when --check is used and just
+  devDependencies exist
+
+* Wed Apr 24 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.5-1
+- new upstream release 0.10.5
+  http://blog.nodejs.org/2013/04/23/node-v0-10-5-stable/
+
+* Mon Apr 15 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.4-1
+- new upstream release 0.10.4
+  http://blog.nodejs.org/2013/04/11/node-v0-10-4-stable/
+- drop dependency generator files not supported on EL6
+- port nodejs_default_filter to EL6
+- add nodejs_find_provides_and_requires macro to invoke dependency generator
+- invoke the standard RPM provides and requires generators from the Node.js ones
+- write native module Requires from nodejs.req
+- change the c-ares-devel Requires in -devel to match the BuildRequires
+
+* Tue Apr 09 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.10.3-2.1
+- Build against c-ares 1.9
+
+* Mon Apr 08 2013 Stanislav Ochotnicky <sochotnicky@redhat.com> - 0.10.3-3
+- Add support for software collections
+- Move rpm macros and tooling to separate package
+- add no-op macro to permit spec compatibility with EPEL
+
+* Thu Apr 04 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.3-2
+- nodejs-symlink-deps: symlink unconditionally in the buildroot
+
+* Wed Apr 03 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.3-1
+- new upstream release 0.10.3
+  http://blog.nodejs.org/2013/04/03/node-v0-10-3-stable/
+- nodejs-symlink-deps: only create symlink if target exists
+- nodejs-symlink-deps: symlink devDependencies when --check is used
+
+* Sun Mar 31 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.2-1
+- new upstream release 0.10.2
+  http://blog.nodejs.org/2013/03/28/node-v0-10-2-stable/
+- remove %%nodejs_arches macro since it will only be useful if it is present in
+  the redhat-rpm-config package
+- add default filtering macro to remove unwanted Provides from native modules
+- nodejs-symlink-deps now supports multiple modules in one SRPM properly
+- nodejs-symlink-deps also now supports a --check argument that works in the
+  current working directry instead of the buildroot
+
+* Fri Mar 22 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.1-1
+- new upstream release 0.10.1
+  http://blog.nodejs.org/2013/03/21/node-v0-10-1-stable/
+
+* Wed Mar 20 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.0-4
+- fix escaping in dependency generator regular expressions (RHBZ#923941)
+
+* Wed Mar 13 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.0-3
+- add virtual ABI provides for node and v8 so binary module's deps break when
+  binary compatibility is broken
+- automatically add matching Requires to nodejs binary modules
+- add %%nodejs_arches macro to future-proof ExcluseArch stanza in dependent
+  packages
+
+* Tue Mar 12 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.10.0-2
+- Fix up documentation subpackage
+
+* Mon Mar 11 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.10.0-1
+- Update to stable 0.10.0 release
+- https://raw.github.com/joyent/node/v0.10.0/ChangeLog
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.5-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Jan 22 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-10
+- minor bugfixes to RPM magic
+  - nodejs-symlink-deps: don't create an empty node_modules dir when a module
+    has no dependencies
+  - nodes-fixdep: support adding deps when none exist
+- Add the full set of headers usually bundled with node as deps to nodejs-devel.
+  This way `npm install` for native modules that assume the stuff bundled with
+  node exists will usually "just work".
+-move RPM magic to nodejs-devel as requested by FPC
+
+* Sat Jan 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-9
+- fix brown paper bag bug in requires generation script
+
+* Thu Jan 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 0.9.5-8
+- Build debug binary and install it in the nodejs-devel subpackage
+
+* Thu Jan 10 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-7
+- don't use make install since it rebuilds everything
+
+* Thu Jan 10 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-6
+- add %%{?isa}, epoch to v8 deps
+
+* Wed Jan 09 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-5
+- add defines to match libuv (#892601)
+- make v8 dependency explicit (and thus more accurate)
+- add -g to $C(XX)FLAGS instead of patching configure to add it
+- don't write pointless 'npm(foo) > 0' deps
+
+* Sat Jan 05 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-4
+- install development headers
+- add nodejs_sitearch macro
+
+* Wed Jan 02 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-3
+- make nodejs-symlink-deps actually work
+
+* Tue Jan 01 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-2
+- provide nodejs-devel so modules can BuildRequire it (and be consistent
+  with other interpreted languages in the distro)
+
+* Tue Jan 01 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.5-1
+- new upstream release 0.9.5
+- provide nodejs-devel for the moment
+- fix minor bugs in RPM magic
+- add nodejs_fixdep macro so packagers can easily adjust dependencies in
+  package.json files
+
+* Wed Dec 26 2012 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.9.4-1
+- new upstream release 0.9.4
+- system library patches are now upstream
+- respect optflags
+- include documentation in subpackage
+- add RPM dependency generation and related magic
+- guard libuv depedency so it always gets bumped when nodejs does
+- add -devel subpackage with enough to make node-gyp happy
+
+* Thu Dec 20 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.9.3-9
+- Drop requirement on openssl 1.0.1
+
+* Wed Dec 19 2012 Dan Horák <dan[at]danny.cz> - 0.9.3-8
+- set exclusive arch list to match v8
+
+* Tue Dec 18 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.9.3-7
+- Add remaining changes from code review
+- Remove unnecessary BuildRequires on findutils
+- Remove %%clean section
+
+* Fri Dec 14 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.9.3-6
+- Fixes from code review
+- Fix executable permissions
+- Correct the License field
+- Build debuginfo properly
+
+* Thu Dec 13 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.9.3-5
+- Return back to using the standard binary name
+- Temporarily adding a conflict against the ham radio node package until they
+  complete an agreed rename of their binary.
+
+* Wed Nov 28 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.9.3-4
+- Rename binary and manpage to nodejs
+
+* Mon Nov 19 2012 Stephen Gallagher <sgallagh@redhat.com> - 0.9.3-3
+- Update to latest upstream development release 0.9.3
+- Include upstreamed patches to unbundle dependent libraries
+
+* Tue Oct 23 2012 Adrian Alves <alvesadrian@fedoraproject.org>  0.8.12-1
+- Fixes and Patches suggested by Matthias Runge
+
+* Mon Apr 09 2012 Adrian Alves <alvesadrian@fedoraproject.org> 0.6.5
+- First build.