diff --git a/.gitignore b/.gitignore
index 1472b88..cddf1b5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/node-ssl-shim-70e39fd.tar.gz
-SOURCES/node-v14.18.2-stripped.tar.gz
+SOURCES/node-v14.20.0-stripped.tar.gz
diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata
index a010fee..f483f68 100644
--- a/.rh-nodejs14-nodejs.metadata
+++ b/.rh-nodejs14-nodejs.metadata
@@ -1,2 +1,2 @@
 a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz
-2fbd74467b816a6319c33e0df147817a87b6bd39 SOURCES/node-v14.18.2-stripped.tar.gz
+fac24a1c927ac8f47ddfb8694513836127c9afa4 SOURCES/node-v14.20.0-stripped.tar.gz
diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch
index 30ff22f..ed3955e 100644
--- a/SOURCES/0001-Link-with-ssl-shim.patch
+++ b/SOURCES/0001-Link-with-ssl-shim.patch
@@ -1,7 +1,7 @@
-From ac25a4c4c88d234b52bdc3d47d5d8d5d9783aaa0 Mon Sep 17 00:00:00 2001
+From acc0bf44f8f822bf1dd07f62c8d2533ad4f0c1ce Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Tue, 28 Apr 2020 11:15:24 +0200
-Subject: [PATCH 1/7] Link with ssl-shim
+Subject: [PATCH] Link with ssl-shim
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -14,10 +14,10 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  3 files changed, 10 insertions(+), 4 deletions(-)
 
 diff --git a/node.gypi b/node.gypi
-index 43dbda7bbf..070f212d96 100644
+index ad088b133b..45f6a9f45c 100644
 --- a/node.gypi
 +++ b/node.gypi
-@@ -364,9 +364,13 @@
+@@ -361,9 +361,13 @@
                ],
              }],
            ],
@@ -35,10 +35,10 @@ index 43dbda7bbf..070f212d96 100644
      }],
  
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 61db9f04bb..798568bb8f 100644
+index 61e5a32854..d7c7d06646 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -1158,7 +1158,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
+@@ -1174,7 +1174,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
  
  void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
    // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
@@ -61,5 +61,5 @@ index bef98b3e24..d46730c9ba 100644
  namespace crypto {
  
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
index 24d2554..9d962a7 100644
--- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch
+++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
@@ -1,7 +1,7 @@
-From e3830b75429a24e10939323941074ce9fa938e73 Mon Sep 17 00:00:00 2001
+From 58e2804cb0802a751f3b4069252b904eedf17f56 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Wed, 7 Jul 2021 13:37:46 +0200
-Subject: [PATCH 2/7] Use OpenSSL 1.0 API
+Date: Wed, 13 Jul 2022 14:26:36 +0200
+Subject: [PATCH] Use OpenSSL 1.0 API
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -27,19 +27,21 @@ Content-Transfer-Encoding: 8bit
 
 - Return const char from SSL_CIPHER_get_version
 
+- Use non-const signature for X509 name functions
+
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
  src/node_crypto.cc        | 26 ++++++++++++++++++++++++--
  src/node_crypto.h         |  4 ++++
  src/node_crypto_bio.cc    |  4 ++++
- src/node_crypto_common.cc | 10 +++++++++-
- 4 files changed, 41 insertions(+), 3 deletions(-)
+ src/node_crypto_common.cc | 14 +++++++++++---
+ 4 files changed, 43 insertions(+), 5 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 798568bb8f..d246132209 100644
+index d7c7d06646..de8b26930b 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -127,7 +127,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
+@@ -133,7 +133,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
  template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
  template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
      SSL* s,
@@ -51,7 +53,7 @@ index 798568bb8f..d246132209 100644
      int len,
      int* copy);
  template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
-@@ -1769,7 +1773,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
+@@ -1785,7 +1789,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
  
  template <class Base>
  SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
@@ -63,7 +65,7 @@ index 798568bb8f..d246132209 100644
                                                 int len,
                                                 int* copy) {
    Base* w = static_cast<Base*>(SSL_get_app_data(s));
-@@ -5898,9 +5906,23 @@ struct PBKDF2Job : public CryptoJob {
+@@ -5908,9 +5916,23 @@ struct PBKDF2Job : public CryptoJob {
    }
  
    inline void DoThreadPoolWork() override {
@@ -122,10 +124,10 @@ index 8c58e31f86..319580c9b6 100644
      NodeBIO::FromBIO(bio.get())->env_ = env;
    return bio;
 diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
-index 6473b652ac..da1033fdef 100644
+index d43e5af2b5..7d313dd3df 100644
 --- a/src/node_crypto_common.cc
 +++ b/src/node_crypto_common.cc
-@@ -405,7 +405,15 @@ MaybeLocal<Value> GetCipherStandardName(
+@@ -337,7 +337,15 @@ MaybeLocal<Value> GetCipherStandardName(
  }
  
  MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
@@ -142,6 +144,24 @@ index 6473b652ac..da1033fdef 100644
  }
  
  StackOfX509 CloneSSLCerts(X509Pointer&& cert,
+@@ -845,7 +853,7 @@ v8::MaybeLocal<v8::Value> GetInfoAccessString(
+   return ToV8Value(env, bio);
+ }
+ 
+-template <X509_NAME* get_name(const X509*)>
++template <X509_NAME* get_name(X509*)>
+ static MaybeLocal<Value> GetX509NameObject(Environment* env, X509* cert) {
+   X509_NAME* name = get_name(cert);
+   CHECK_NOT_NULL(name);
+@@ -868,7 +876,7 @@ static MaybeLocal<Value> GetX509NameObject(Environment* env, X509* cert) {
+     // anyway, and multi-value RDNs are rare, i.e., the vast majority of
+     // Relative Distinguished Names contains a single type-value pair only.
+     const ASN1_OBJECT* type = X509_NAME_ENTRY_get_object(entry);
+-    const ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry);
++    ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry);
+ 
+     // If OpenSSL knows the type, use the short name of the type as the key, and
+     // the numeric representation of the type's OID otherwise.
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
index 35735a2..977b643 100644
--- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
+++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
@@ -1,7 +1,7 @@
-From 8c2d8893a51440e20c2e3c22f8981b64cf4fd643 Mon Sep 17 00:00:00 2001
+From 683dd65f2b3dd67e64ef4d4aaadf390d08b481aa Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Wed, 7 Jul 2021 13:37:47 +0200
-Subject: [PATCH 3/7] Backport necessary OpenSSL features
+Date: Wed, 13 Jul 2022 14:27:40 +0200
+Subject: [PATCH] Backport necessary OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -52,10 +52,10 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  2 files changed, 184 insertions(+), 26 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index d246132209..81ac3b5dd4 100644
+index de8b26930b..975a148fc8 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -541,6 +541,11 @@ inline void SecureContext::Reset() {
+@@ -557,6 +557,11 @@ inline void SecureContext::Reset() {
    ctx_.reset();
    cert_.reset();
    issuer_.reset();
@@ -67,7 +67,7 @@ index d246132209..81ac3b5dd4 100644
  }
  
  SecureContext::~SecureContext() {
-@@ -554,7 +559,11 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
+@@ -570,7 +575,11 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
  
  // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
  // Node.js doesn't, so pin the max to what we do support.
@@ -79,7 +79,7 @@ index d246132209..81ac3b5dd4 100644
  
  void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
-@@ -609,38 +618,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+@@ -625,38 +634,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
        max_version = MAX_SUPPORTED_VERSION;
        method = TLS_client_method();
      } else if (sslmethod == "TLSv1_method") {
@@ -127,7 +127,7 @@ index d246132209..81ac3b5dd4 100644
      } else {
        const std::string msg("Unknown method: ");
        THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, (msg + * sslmethod).c_str());
-@@ -670,8 +664,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+@@ -686,8 +680,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
                                   SSL_SESS_CACHE_NO_INTERNAL |
                                   SSL_SESS_CACHE_NO_AUTO_CLEAR);
  
@@ -142,7 +142,7 @@ index d246132209..81ac3b5dd4 100644
  
    // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
    // exposed in the public API. To retain compatibility, install a callback
-@@ -1216,6 +1216,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
+@@ -1232,6 +1232,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
    THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "ECDH curve name");
  
    node::Utf8Value curve(env->isolate(), args[0]);
@@ -153,7 +153,7 @@ index d246132209..81ac3b5dd4 100644
  
    if (strcmp(*curve, "auto") == 0)
      return;
-@@ -1267,6 +1271,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
+@@ -1283,6 +1287,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
      return env->ThrowTypeError("Error setting temp DH parameter");
  }
  
@@ -219,7 +219,7 @@ index d246132209..81ac3b5dd4 100644
  
  void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
-@@ -1277,7 +1340,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1293,7 +1356,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -232,7 +232,7 @@ index d246132209..81ac3b5dd4 100644
  }
  
  
-@@ -1290,7 +1358,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1306,7 +1374,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -245,7 +245,7 @@ index d246132209..81ac3b5dd4 100644
  }
  
  
-@@ -1301,7 +1374,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1317,7 +1390,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -257,7 +257,7 @@ index d246132209..81ac3b5dd4 100644
    args.GetReturnValue().Set(static_cast<uint32_t>(version));
  }
  
-@@ -1313,11 +1390,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1329,11 +1406,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -273,7 +273,7 @@ index d246132209..81ac3b5dd4 100644
  void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
    ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
-@@ -6873,8 +6953,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
+@@ -6883,8 +6963,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
        CRYPTO_memcmp(buf1.data(), buf2.data(), buf1.length()) == 0);
  }
  
@@ -373,5 +373,5 @@ index dbc46fbec8..d27125042b 100644
  
  // SSLWrap implicitly depends on the inheriting class' handle having an
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
index dbec230..68af894 100644
--- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
+++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
@@ -1,7 +1,7 @@
-From 76a36980372b8dbf82a0ada18a1ebae3d94c5fa0 Mon Sep 17 00:00:00 2001
+From 4ba04fcbfd74f9b214c6dd25d82dad5a87cf8465 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Wed, 7 Jul 2021 13:37:48 +0200
-Subject: [PATCH 4/7] Disable unsupported OpenSSL features
+Date: Wed, 13 Jul 2022 14:30:43 +0200
+Subject: [PATCH] Disable unsupported OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -31,28 +31,96 @@ Content-Transfer-Encoding: 8bit
   The expected semantics is the same as using the regular versions,
   so the possibility of using the secure heap was simply removed.
 
+- Revert "src,deps,build,test: add OpenSSL config appname"
+
+  This reverts commit 8e8aef836cb9807c9fe5ca350f1e7febdb40c3a7.
+
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
- doc/api/cli.md                                 | 18 ------------------
- doc/api/tls.md                                 | 15 +++++++--------
- src/env.h                                      | 11 ++++++++++-
- src/node_crypto.cc                             |  8 ++++++--
- src/node_crypto_common.cc                      | 12 ++++++++++++
- src/node_crypto_common.h                       |  6 ++++++
- src/node_options.cc                            | 10 +++++++++-
- .../test-tls-cli-max-version-1.3.js            |  0
- .../test-tls-cli-min-max-conflict.js           |  0
- .../test-tls-cli-min-version-1.3.js            |  0
- 10 files changed, 50 insertions(+), 30 deletions(-)
+ BUILDING.md                                   | 14 ------
+ configure.py                                  |  8 ----
+ doc/api/cli.md                                | 18 --------
+ doc/api/tls.md                                | 15 +++----
+ src/env.h                                     | 11 ++++-
+ src/node.cc                                   | 43 -------------------
+ src/node_crypto.cc                            |  8 +++-
+ src/node_crypto_common.cc                     | 12 ++++++
+ src/node_crypto_common.h                      |  6 +++
+ src/node_options.cc                           | 10 ++++-
+ test/fixtures/openssl_fips_disabled.cnf       |  2 +-
+ test/fixtures/openssl_fips_enabled.cnf        |  2 +-
+ .../test-tls-cli-max-version-1.3.js           |  0
+ .../test-tls-cli-min-max-conflict.js          |  0
+ .../test-tls-cli-min-version-1.3.js           |  0
+ test/parallel/test-crypto-fips.js             |  2 +-
+ 16 files changed, 53 insertions(+), 98 deletions(-)
  rename test/{parallel => known_issues}/test-tls-cli-max-version-1.3.js (100%)
  rename test/{parallel => known_issues}/test-tls-cli-min-max-conflict.js (100%)
  rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
 
+diff --git a/BUILDING.md b/BUILDING.md
+index 0ae3c09d99..5d2459eb76 100644
+--- a/BUILDING.md
++++ b/BUILDING.md
+@@ -52,7 +52,6 @@ file a new issue.
+   * [Build with a specific ICU](#build-with-a-specific-icu)
+     * [Unix/macOS](#unixmacos-3)
+     * [Windows](#windows-4)
+-* [Configuring OpenSSL config appname](#configure-openssl-appname)
+ * [Building Node.js with FIPS-compliant OpenSSL](#building-nodejs-with-fips-compliant-openssl)
+ * [Building Node.js with external core modules](#building-nodejs-with-external-core-modules)
+   * [Unix/macOS](#unixmacos-4)
+@@ -767,19 +766,6 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)
+ > .\vcbuild full-icu
+ ```
+ 
+-### Configure OpenSSL appname
+-
+-Node.js can use an OpenSSL configuration file by specifying the environment
+-variable `OPENSSL_CONF`, or using the command line option `--openssl-conf`, and
+-if none of those are specified will default to reading the default OpenSSL
+-configuration file `openssl.cnf`. Node.js will only read a section that is by
+-default named `nodejs_conf`, but this name can be overridden using the following
+-configure option:
+-
+-```console
+-$ ./configure --openssl-conf-name=<some_conf_name>
+-```
+-
+ ## Building Node.js with FIPS-compliant OpenSSL
+ 
+ The current version of Node.js does not support FIPS.
+diff --git a/configure.py b/configure.py
+index 892e1d4202..2ea4eb69f5 100755
+--- a/configure.py
++++ b/configure.py
+@@ -176,12 +176,6 @@ parser.add_option("--link-module",
+          "e.g. /root/x/y.js will be referenced via require('root/x/y'). "
+          "Can be used multiple times")
+ 
+-parser.add_option("--openssl-conf-name",
+-    action="store",
+-    dest="openssl_conf_name",
+-    default='nodejs_conf',
+-    help="The OpenSSL config appname (config section name) used by Node.js")
+-
+ parser.add_option('--openssl-default-cipher-list',
+     action='store',
+     dest='openssl_default_cipher_list',
+@@ -1343,8 +1337,6 @@ def configure_openssl(o):
+   if options.openssl_no_asm:
+     variables['openssl_no_asm'] = 1
+ 
+-  o['defines'] += ['NODE_OPENSSL_CONF_NAME=' + options.openssl_conf_name]
+-
+   if options.without_ssl:
+     def without_ssl_error(option):
+       error('--without-ssl is incompatible with %s' % option)
 diff --git a/doc/api/cli.md b/doc/api/cli.md
-index 3f3e5e4eeb..48e51fcdfa 100644
+index ff5dff244e..61bac086bf 100644
 --- a/doc/api/cli.md
 +++ b/doc/api/cli.md
-@@ -893,14 +893,6 @@ added:
+@@ -902,14 +902,6 @@ added:
  Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
  TLSv1.3.
  
@@ -67,7 +135,7 @@ index 3f3e5e4eeb..48e51fcdfa 100644
  ### `--tls-min-v1.0`
  <!-- YAML
  added:
-@@ -932,14 +924,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
+@@ -941,14 +933,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
  12.x and later, but the option is supported for compatibility with older Node.js
  versions.
  
@@ -82,7 +150,7 @@ index 3f3e5e4eeb..48e51fcdfa 100644
  ### `--trace-atomics-wait`
  <!-- YAML
  added: v14.3.0
-@@ -1381,11 +1365,9 @@ Node.js options that are allowed are:
+@@ -1391,11 +1375,9 @@ Node.js options that are allowed are:
  * `--tls-cipher-list`
  * `--tls-keylog`
  * `--tls-max-v1.2`
@@ -95,10 +163,10 @@ index 3f3e5e4eeb..48e51fcdfa 100644
  * `--trace-deprecation`
  * `--trace-event-categories`
 diff --git a/doc/api/tls.md b/doc/api/tls.md
-index b40273a83a..cff62d0fd6 100644
+index 271dd095fb..0e8125fffd 100644
 --- a/doc/api/tls.md
 +++ b/doc/api/tls.md
-@@ -1977,10 +1977,10 @@ added: v11.4.0
+@@ -1988,10 +1988,10 @@ added: v11.4.0
  
  * {string} The default value of the `maxVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -113,7 +181,7 @@ index b40273a83a..cff62d0fd6 100644
    highest maximum is used.
  
  ## `tls.DEFAULT_MIN_VERSION`
-@@ -1990,12 +1990,11 @@ added: v11.4.0
+@@ -2001,12 +2001,11 @@ added: v11.4.0
  
  * {string} The default value of the `minVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -127,10 +195,10 @@ index b40273a83a..cff62d0fd6 100644
 +  the default to `'TLSv1.1'`. If multiple of the options are provided,
 +  the lowest minimum is used.
  
+ [CVE-2021-44531]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
  [Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
- [DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
 diff --git a/src/env.h b/src/env.h
-index b6967afb89..1f8c3b3eff 100644
+index 824202ef52..90b04e2b1f 100644
 --- a/src/env.h
 +++ b/src/env.h
 @@ -50,6 +50,8 @@
@@ -165,11 +233,86 @@ index b6967afb89..1f8c3b3eff 100644
    V(start_time_string, "startTime")                                            \
    V(status_string, "status")                                                   \
    V(stdio_string, "stdio")                                                     \
+diff --git a/src/node.cc b/src/node.cc
+index d3b884aa66..683e36c1a5 100644
+--- a/src/node.cc
++++ b/src/node.cc
+@@ -44,7 +44,6 @@
+ #if HAVE_OPENSSL
+ #include "allocated_buffer-inl.h"  // Inlined functions needed by node_crypto.h
+ #include "node_crypto.h"
+-#include <openssl/conf.h>
+ #endif
+ 
+ #if defined(NODE_HAVE_I18N_SUPPORT)
+@@ -155,9 +154,6 @@ uint64_t node_start_time;
+ struct V8Platform v8_platform;
+ }  // namespace per_process
+ 
+-// The section in the OpenSSL configuration file to be loaded.
+-const char* conf_section_name = STRINGIFY(NODE_OPENSSL_CONF_NAME);
+-
+ #ifdef __POSIX__
+ void SignalExit(int signo, siginfo_t* info, void* ucontext) {
+   ResetStdio();
+@@ -979,7 +975,6 @@ void Init(int* argc,
+     argv[i] = strdup(argv_[i].c_str());
+ }
+ 
+-
+ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
+   // Initialized the enabled list for Debug() calls with system
+   // environment variables.
+@@ -1045,44 +1040,6 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
+     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+       crypto::UseExtraCaCerts(extra_ca_certs);
+   }
+-
+-  // Passing NULL as the config file will allow the default openssl.cnf file
+-  // to be loaded, but the default section in that file will not be used,
+-  // instead only the section that matches the value of conf_section_name
+-  // will be read from the default configuration file.
+-  const char* conf_file = nullptr;
+-  // Use OPENSSL_CONF environment variable is set.
+-  std::string env_openssl_conf;
+-  credentials::SafeGetenv("OPENSSL_CONF", &env_openssl_conf);
+-  if (!env_openssl_conf.empty()) {
+-    conf_file = env_openssl_conf.c_str();
+-  }
+-  // Use --openssl-conf command line option if specified.
+-  if (!per_process::cli_options->openssl_config.empty()) {
+-    conf_file = per_process::cli_options->openssl_config.c_str();
+-  }
+-
+-  OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
+-  OPENSSL_INIT_set_config_filename(settings, conf_file);
+-  OPENSSL_INIT_set_config_appname(settings, conf_section_name);
+-  OPENSSL_INIT_set_config_file_flags(settings,
+-                                     CONF_MFLAGS_IGNORE_MISSING_FILE);
+-
+-  OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, settings);
+-  OPENSSL_INIT_free(settings);
+-
+-  if (ERR_peek_error() != 0) {
+-    int ossl_error_code = ERR_GET_REASON(ERR_peek_error());
+-    if (ossl_error_code != EVP_R_FIPS_MODE_NOT_SUPPORTED) {
+-      result.exit_code = ossl_error_code;
+-      result.early_return = true;
+-      fprintf(stderr, "%s", "OpenSSL configuration error:\n");
+-      ERR_print_errors_fp(stderr);
+-      return result;
+-    }
+-  }
+-
+-
+   // In the case of FIPS builds we should make sure
+   // the random source is properly initialized first.
+   if (FIPS_mode()) {
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 81ac3b5dd4..b0affa1fe9 100644
+index 975a148fc8..8bb34ab620 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -7119,11 +7119,15 @@ namespace {
+@@ -7124,11 +7124,15 @@ namespace {
  // make use of secure heap, this has the same semantics as
  // using OPENSSL_malloc. However, if the secure heap is
  // initialized, SecureBuffer will automatically use it.
@@ -186,7 +329,7 @@ index 81ac3b5dd4..b0affa1fe9 100644
    if (data == nullptr) {
      // There's no memory available for the allocation.
      // Return nothing.
-@@ -7135,7 +7139,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
+@@ -7140,7 +7144,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
            data,
            len,
            [](void* data, size_t len, void* deleter_data) {
@@ -196,10 +339,10 @@ index 81ac3b5dd4..b0affa1fe9 100644
            data);
    Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
 diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
-index da1033fdef..89f01990f0 100644
+index 7d313dd3df..a7bde45094 100644
 --- a/src/node_crypto_common.cc
 +++ b/src/node_crypto_common.cc
-@@ -211,6 +211,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
+@@ -143,6 +143,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
    if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) {
      X509_free(peer_cert);
      err = SSL_get_verify_result(ssl.get());
@@ -207,7 +350,7 @@ index da1033fdef..89f01990f0 100644
    } else {
      const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get());
      const SSL_SESSION* sess = SSL_get_session(ssl.get());
-@@ -222,6 +223,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
+@@ -154,6 +155,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
           SSL_session_reused(ssl.get()))) {
        return X509_V_OK;
      }
@@ -215,7 +358,7 @@ index da1033fdef..89f01990f0 100644
    }
    return err;
  }
-@@ -239,6 +241,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
+@@ -171,6 +173,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
    return err;
  }
  
@@ -223,7 +366,7 @@ index da1033fdef..89f01990f0 100644
  const char* GetClientHelloALPN(const SSLPointer& ssl) {
    const unsigned char* buf;
    size_t len;
-@@ -285,6 +288,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
+@@ -217,6 +220,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
      return nullptr;
    return reinterpret_cast<const char*>(buf + 5);
  }
@@ -231,7 +374,7 @@ index da1033fdef..89f01990f0 100644
  
  const char* GetServerName(SSL* ssl) {
    return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-@@ -398,11 +402,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
+@@ -330,11 +334,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
    return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
  }
  
@@ -245,7 +388,7 @@ index da1033fdef..89f01990f0 100644
  
  MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
  #if OPENSSL_IS_LEGACY
-@@ -762,16 +768,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
+@@ -1088,16 +1094,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
    return GetCipherName(env, SSL_get_current_cipher(ssl.get()));
  }
  
@@ -265,7 +408,7 @@ index da1033fdef..89f01990f0 100644
  MaybeLocal<Array> GetClientHelloCiphers(
      Environment* env,
      const SSLPointer& ssl) {
-@@ -804,6 +813,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
+@@ -1130,6 +1139,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
    Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);
    return scope.Escape(ret);
  }
@@ -273,7 +416,7 @@ index da1033fdef..89f01990f0 100644
  
  
  MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
-@@ -814,10 +824,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
+@@ -1140,10 +1150,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
                    info,
                    env->name_string(),
                    GetCipherName(env, ssl)) ||
@@ -287,10 +430,10 @@ index da1033fdef..89f01990f0 100644
                    info,
                    env->version_string(),
 diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
-index c373a97e47..220cb109bc 100644
+index bf58df18f6..8e1ac58cd7 100644
 --- a/src/node_crypto_common.h
 +++ b/src/node_crypto_common.h
-@@ -73,15 +73,19 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
+@@ -67,15 +67,19 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
  
  int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
  
@@ -310,7 +453,7 @@ index c373a97e47..220cb109bc 100644
  
  bool SetGroups(SecureContext* sc, const char* groups);
  
-@@ -97,9 +101,11 @@ v8::MaybeLocal<v8::Value> GetCipherName(
+@@ -91,9 +95,11 @@ v8::MaybeLocal<v8::Value> GetCipherName(
      Environment* env,
      const SSLPointer& ssl);
  
@@ -323,7 +466,7 @@ index c373a97e47..220cb109bc 100644
  v8::MaybeLocal<v8::Value> GetCipherVersion(
      Environment* env,
 diff --git a/src/node_options.cc b/src/node_options.cc
-index cee6fc1773..fbe408e12b 100644
+index 06847ce332..66b9e4e917 100644
 --- a/src/node_options.cc
 +++ b/src/node_options.cc
 @@ -9,6 +9,8 @@
@@ -348,7 +491,7 @@ index cee6fc1773..fbe408e12b 100644
  
    if (heap_snapshot_near_heap_limit < 0) {
      errors->push_back("--heap-snapshot-near-heap-limit must not be negative");
-@@ -558,14 +562,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -563,14 +567,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
              &EnvironmentOptions::tls_min_v1_2,
              kAllowedInEnvironment);
@@ -367,7 +510,7 @@ index cee6fc1773..fbe408e12b 100644
    // Current plan is:
    // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
    // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
-@@ -574,6 +581,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -579,6 +586,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
              &EnvironmentOptions::tls_max_v1_3,
              kAllowedInEnvironment);
@@ -375,6 +518,30 @@ index cee6fc1773..fbe408e12b 100644
  }
  
  PerIsolateOptionsParser::PerIsolateOptionsParser(
+diff --git a/test/fixtures/openssl_fips_disabled.cnf b/test/fixtures/openssl_fips_disabled.cnf
+index 253c6906e3..8668370fac 100644
+--- a/test/fixtures/openssl_fips_disabled.cnf
++++ b/test/fixtures/openssl_fips_disabled.cnf
+@@ -1,6 +1,6 @@
+ # Skeleton openssl.cnf for testing with FIPS
+ 
+-nodejs_conf = openssl_conf_section
++openssl_conf = openssl_conf_section
+ authorityKeyIdentifier=keyid:always,issuer:always
+ 
+ [openssl_conf_section]
+diff --git a/test/fixtures/openssl_fips_enabled.cnf b/test/fixtures/openssl_fips_enabled.cnf
+index 79733c657a..9c1a90f508 100644
+--- a/test/fixtures/openssl_fips_enabled.cnf
++++ b/test/fixtures/openssl_fips_enabled.cnf
+@@ -1,6 +1,6 @@
+ # Skeleton openssl.cnf for testing with FIPS
+ 
+-nodejs_conf = openssl_conf_section
++openssl_conf = openssl_conf_section
+ authorityKeyIdentifier=keyid:always,issuer:always
+ 
+ [openssl_conf_section]
 diff --git a/test/parallel/test-tls-cli-max-version-1.3.js b/test/known_issues/test-tls-cli-max-version-1.3.js
 similarity index 100%
 rename from test/parallel/test-tls-cli-max-version-1.3.js
@@ -387,6 +554,19 @@ diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/known_issues/t
 similarity index 100%
 rename from test/parallel/test-tls-cli-min-version-1.3.js
 rename to test/known_issues/test-tls-cli-min-version-1.3.js
+diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
+index bf8b3c157d..a1ed645184 100644
+--- a/test/parallel/test-crypto-fips.js
++++ b/test/parallel/test-crypto-fips.js
+@@ -64,7 +64,7 @@ testHelper(
+   [],
+   FIPS_DISABLED,
+   'require("crypto").getFips()',
+-  { ...process.env, 'OPENSSL_CONF': ' ' });
++  { ...process.env, 'OPENSSL_CONF': '' });
+ 
+ // --enable-fips should turn FIPS mode on
+ testHelper(
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/0005-Adjust-tests-expectations.patch b/SOURCES/0005-Adjust-tests-expectations.patch
index 9088bc5..c81bfe1 100644
--- a/SOURCES/0005-Adjust-tests-expectations.patch
+++ b/SOURCES/0005-Adjust-tests-expectations.patch
@@ -1,7 +1,7 @@
-From 777b49d1623b2de845b14331a2ffa51b28783dff Mon Sep 17 00:00:00 2001
+From f4ed4ca63d56084415fbb2b12ad50add7e68b19c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Wed, 7 Jul 2021 13:37:49 +0200
-Subject: [PATCH 5/7] Adjust tests expectations
+Date: Wed, 13 Jul 2022 14:31:50 +0200
+Subject: [PATCH] Adjust tests expectations
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -252,5 +252,5 @@ index dbec153cf9..e72abbcc56 100644
  {
    const regexp = /regexp/;
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
index 71bac72..daa7dc5 100644
--- a/SOURCES/0006-Disable-tests-for-unsupported-features.patch
+++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
@@ -1,7 +1,7 @@
-From de4db36e7e1c0b1c84cbfbea2d6fc068c9c573f6 Mon Sep 17 00:00:00 2001
+From d352840d803a51f93b06212a9516d3497729479a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Wed, 7 Jul 2021 13:37:50 +0200
-Subject: [PATCH 6/7] Disable tests for unsupported features
+Date: Wed, 13 Jul 2022 14:32:51 +0200
+Subject: [PATCH] Disable tests for unsupported features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -34,7 +34,7 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  test/parallel/test-crypto-hash.js             |  63 --------
  test/parallel/test-crypto-key-objects.js      | 151 ------------------
  test/parallel/test-crypto-keygen.js           |  49 ------
- test/parallel/test-crypto-sign-verify.js      | 108 -------------
+ test/parallel/test-crypto-sign-verify.js      |   8 -
  test/parallel/test-tls-cli-min-version-1.0.js |   2 +-
  test/parallel/test-tls-cli-min-version-1.1.js |   2 +-
  test/parallel/test-tls-cli-min-version-1.2.js |   2 +-
@@ -42,7 +42,7 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  test/parallel/test-tls-getcipher.js           |  22 ---
  test/parallel/test-tls-min-max-version.js     |  19 +--
  test/parallel/test-tls-psk-circuit.js         |   4 +-
- 26 files changed, 33 insertions(+), 439 deletions(-)
+ 26 files changed, 33 insertions(+), 339 deletions(-)
  rename test/{parallel => known_issues}/test-crypto-certificate.js (100%)
  rename test/{parallel => known_issues}/test-crypto-des3-wrap.js (100%)
  rename test/{parallel => known_issues}/test-crypto-hash-stream-pipe.js (100%)
@@ -56,10 +56,10 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  rename test/{parallel => known_issues}/test-tls-keylog-tlsv13.js (100%)
 
 diff --git a/lib/tls.js b/lib/tls.js
-index a46031ad7d..50772f3d16 100644
+index 7854f20fca..5e338261c5 100644
 --- a/lib/tls.js
 +++ b/lib/tls.js
-@@ -70,17 +70,13 @@ else if (getOptionValue('--tls-min-v1.1'))
+@@ -77,17 +77,13 @@ else if (getOptionValue('--tls-min-v1.1'))
    exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
  else if (getOptionValue('--tls-min-v1.2'))
    exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
@@ -546,7 +546,7 @@ index dd106004fa..7b26f0fc5c 100644
  // Test classic Diffie-Hellman key generation.
  {
 diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
-index 02bb169a4d..72029e68f2 100644
+index 02bb169a4d..e1a27ce0ac 100644
 --- a/test/parallel/test-crypto-sign-verify.js
 +++ b/test/parallel/test-crypto-sign-verify.js
 @@ -425,14 +425,6 @@ assert.throws(
@@ -564,113 +564,6 @@ index 02bb169a4d..72029e68f2 100644
    { private: fixtures.readKey('rsa_private_2048.pem', 'ascii'),
      public: fixtures.readKey('rsa_public_2048.pem', 'ascii'),
      algo: 'sha1',
-@@ -514,106 +506,6 @@ assert.throws(
-   assert.throws(() => crypto.verify(null, data, 'test', input), errObj);
- });
- 
--{
--  const data = Buffer.from('Hello world');
--  const keys = [['ec-key.pem', 64], ['dsa_private_1025.pem', 40]];
--
--  for (const [file, length] of keys) {
--    const privKey = fixtures.readKey(file);
--    [
--      crypto.createSign('sha1').update(data).sign(privKey),
--      crypto.sign('sha1', data, privKey),
--      crypto.sign('sha1', data, { key: privKey, dsaEncoding: 'der' }),
--    ].forEach((sig) => {
--      // Signature length variability due to DER encoding
--      assert(sig.length >= length + 4 && sig.length <= length + 8);
--
--      assert.strictEqual(
--        crypto.createVerify('sha1').update(data).verify(privKey, sig),
--        true
--      );
--      assert.strictEqual(crypto.verify('sha1', data, privKey, sig), true);
--    });
--
--    // Test (EC)DSA signature conversion.
--    const opts = { key: privKey, dsaEncoding: 'ieee-p1363' };
--    let sig = crypto.sign('sha1', data, opts);
--    // Unlike DER signatures, IEEE P1363 signatures have a predictable length.
--    assert.strictEqual(sig.length, length);
--    assert.strictEqual(crypto.verify('sha1', data, opts, sig), true);
--    assert.strictEqual(crypto.createVerify('sha1')
--                             .update(data)
--                             .verify(opts, sig), true);
--
--    // Test invalid signature lengths.
--    for (const i of [-2, -1, 1, 2, 4, 8]) {
--      sig = crypto.randomBytes(length + i);
--      assert.throws(() => {
--        crypto.verify('sha1', data, opts, sig);
--      }, {
--        message: 'Malformed signature'
--      });
--    }
--  }
--
--  // Test verifying externally signed messages.
--  const extSig = Buffer.from('494c18ab5c8a62a72aea5041966902bcfa229821af2bf65' +
--                             '0b5b4870d1fe6aebeaed9460c62210693b5b0a300033823' +
--                             '33d9529c8abd8c5948940af944828be16c', 'hex');
--  for (const ok of [true, false]) {
--    assert.strictEqual(
--      crypto.verify('sha256', data, {
--        key: fixtures.readKey('ec-key.pem'),
--        dsaEncoding: 'ieee-p1363'
--      }, extSig),
--      ok
--    );
--
--    assert.strictEqual(
--      crypto.createVerify('sha256').update(data).verify({
--        key: fixtures.readKey('ec-key.pem'),
--        dsaEncoding: 'ieee-p1363'
--      }, extSig),
--      ok
--    );
--
--    extSig[Math.floor(Math.random() * extSig.length)] ^= 1;
--  }
--
--  // Non-(EC)DSA keys should ignore the option.
--  const sig = crypto.sign('sha1', data, {
--    key: keyPem,
--    dsaEncoding: 'ieee-p1363'
--  });
--  assert.strictEqual(crypto.verify('sha1', data, certPem, sig), true);
--  assert.strictEqual(
--    crypto.verify('sha1', data, {
--      key: certPem,
--      dsaEncoding: 'ieee-p1363'
--    }, sig),
--    true
--  );
--  assert.strictEqual(
--    crypto.verify('sha1', data, {
--      key: certPem,
--      dsaEncoding: 'der'
--    }, sig),
--    true
--  );
--
--  for (const dsaEncoding of ['foo', null, {}, 5, true, NaN]) {
--    assert.throws(() => {
--      crypto.sign('sha1', data, {
--        key: certPem,
--        dsaEncoding
--      });
--    }, {
--      code: 'ERR_INVALID_OPT_VALUE'
--    });
--  }
--}
--
--
- // RSA-PSS Sign test by verifying with 'openssl dgst -verify'
- // Note: this particular test *must* be the last in this file as it will exit
- // early if no openssl binary is found
 diff --git a/test/parallel/test-tls-cli-min-version-1.0.js b/test/parallel/test-tls-cli-min-version-1.0.js
 index 577562782e..0a227c0b94 100644
 --- a/test/parallel/test-tls-cli-min-version-1.0.js
@@ -807,5 +700,5 @@ index 4bcdf36860..0642e18d5e 100644
  test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE);
  // Recognized user but incorrect secret should fail handshake
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch
index 69d9f77..9911c08 100644
--- a/SOURCES/0007-Disable-tests-for-known-issues.patch
+++ b/SOURCES/0007-Disable-tests-for-known-issues.patch
@@ -1,7 +1,7 @@
-From 73a1675fce4fe76a76f3da62968cf9addc1ebb68 Mon Sep 17 00:00:00 2001
+From edf1570b8f3b14f2c8fc8df64cbcec50e8591fb5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Wed, 7 Jul 2021 13:37:50 +0200
-Subject: [PATCH 7/7] Disable tests for known issues
+Date: Wed, 13 Jul 2022 14:33:13 +0200
+Subject: [PATCH] Disable tests for known issues
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -216,5 +216,5 @@ index 8fb15d3ba5..2fc22ca477 100644
    expect(opt, want, command, wantsError, false);
  }
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/always-available-fips-options.patch b/SOURCES/always-available-fips-options.patch
deleted file mode 100644
index 26d4853..0000000
--- a/SOURCES/always-available-fips-options.patch
+++ /dev/null
@@ -1,624 +0,0 @@
-From 7c7f5159fcc71d915dfcc5f97ab18d5f8912f1b5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
-Date: Tue, 25 Aug 2020 14:04:54 +0200
-Subject: [PATCH] crypto: make FIPS related options always awailable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There is no reason to hide FIPS functionality behind build flags.
-OpenSSL always provide the information about FIPS availability via
-`FIPS_mode()` function.
-
-This makes the user experience more consistent, because the OpenSSL
-library is always queried and the `crypto.getFips()` always returns
-OpenSSL settings.
-
-Fixes #34903
-
-PR-URL: https://github.com/nodejs/node/pull/36341
-Reviewed-By: Anna Henningsen <anna@addaleax.net>
-Reviewed-By: Michael Dawson <midawson@redhat.com>
-Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
-Signed-off-by: rpm-build <rpm-build>
----
- doc/api/cli.md                                |  8 +--
- lib/crypto.js                                 | 22 ++----
- node.gypi                                     |  3 -
- src/node.cc                                   |  6 +-
- src/node_config.cc                            |  2 -
- src/node_crypto.cc                            | 45 +++++++-----
- src/node_options.cc                           |  2 -
- src/node_options.h                            |  2 -
- test/parallel/test-cli-node-print-help.js     |  7 +-
- test/parallel/test-crypto-fips.js             | 71 +++++++++----------
- ...rocess-env-allowed-flags-are-documented.js | 11 +--
- 11 files changed, 74 insertions(+), 105 deletions(-)
-
-diff --git a/doc/api/cli.md b/doc/api/cli.md
-index a8ef339..c41bd49 100644
---- a/doc/api/cli.md
-+++ b/doc/api/cli.md
-@@ -182,8 +182,8 @@ code from strings throw an exception instead. This does not affect the Node.js
- added: v6.0.0
- -->
- 
--Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
--`./configure --openssl-fips`.)
-+Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
-+against FIPS-compatible OpenSSL.)
- 
- ### `--enable-source-maps`
- <!-- YAML
-@@ -543,8 +543,8 @@ added: v6.9.0
- -->
- 
- Load an OpenSSL configuration file on startup. Among other uses, this can be
--used to enable FIPS-compliant crypto if Node.js is built with
--`./configure --openssl-fips`.
-+used to enable FIPS-compliant crypto if Node.js is built
-+against FIPS-enabled OpenSSL.
- 
- ### `--pending-deprecation`
- <!-- YAML
-diff --git a/lib/crypto.js b/lib/crypto.js
-index a41b02d..5c15ab3 100644
---- a/lib/crypto.js
-+++ b/lib/crypto.js
-@@ -37,12 +37,10 @@ assertCrypto();
- 
- const {
-   ERR_CRYPTO_FIPS_FORCED,
--  ERR_CRYPTO_FIPS_UNAVAILABLE
- } = require('internal/errors').codes;
- const constants = internalBinding('constants').crypto;
- const { getOptionValue } = require('internal/options');
- const pendingDeprecation = getOptionValue('--pending-deprecation');
--const { fipsMode } = internalBinding('config');
- const fipsForced = getOptionValue('--force-fips');
- const {
-   getFipsCrypto,
-@@ -193,10 +191,8 @@ module.exports = {
-   sign: signOneShot,
-   setEngine,
-   timingSafeEqual,
--  getFips: !fipsMode ? getFipsDisabled :
--    fipsForced ? getFipsForced : getFipsCrypto,
--  setFips: !fipsMode ? setFipsDisabled :
--    fipsForced ? setFipsForced : setFipsCrypto,
-+  getFips: fipsForced ? getFipsForced : getFipsCrypto,
-+  setFips: fipsForced ? setFipsForced : setFipsCrypto,
-   verify: verifyOneShot,
- 
-   // Classes
-@@ -215,19 +211,11 @@ module.exports = {
-   Verify
- };
- 
--function setFipsDisabled() {
--  throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
--}
--
- function setFipsForced(val) {
-   if (val) return;
-   throw new ERR_CRYPTO_FIPS_FORCED();
- }
- 
--function getFipsDisabled() {
--  return 0;
--}
--
- function getFipsForced() {
-   return 1;
- }
-@@ -249,10 +237,8 @@ ObjectDefineProperties(module.exports, {
-   },
-   // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
-   fips: {
--    get: !fipsMode ? getFipsDisabled :
--      fipsForced ? getFipsForced : getFipsCrypto,
--    set: !fipsMode ? setFipsDisabled :
--      fipsForced ? setFipsForced : setFipsCrypto
-+    get: fipsForced ? getFipsForced : getFipsCrypto,
-+    set: fipsForced ? setFipsForced : setFipsCrypto
-   },
-   DEFAULT_ENCODING: {
-     enumerable: false,
-diff --git a/node.gypi b/node.gypi
-index 070f212..45f6a9f 100644
---- a/node.gypi
-+++ b/node.gypi
-@@ -319,9 +319,6 @@
-     [ 'node_use_openssl=="true"', {
-       'defines': [ 'HAVE_OPENSSL=1' ],
-       'conditions': [
--        ['openssl_fips != "" or openssl_is_fips=="true"', {
--          'defines': [ 'NODE_FIPS_MODE' ],
--        }],
-         [ 'node_shared_openssl=="false"', {
-           'dependencies': [
-             './deps/openssl/openssl.gyp:openssl',
-diff --git a/src/node.cc b/src/node.cc
-index 905afd8..c04d199 100644
---- a/src/node.cc
-+++ b/src/node.cc
-@@ -1035,11 +1035,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
-     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
-       crypto::UseExtraCaCerts(extra_ca_certs);
-   }
--#ifdef NODE_FIPS_MODE
-   // In the case of FIPS builds we should make sure
-   // the random source is properly initialized first.
--  OPENSSL_init();
--#endif  // NODE_FIPS_MODE
-+  if (FIPS_mode()) {
-+    OPENSSL_init();
-+  }
-   // V8 on Windows doesn't have a good source of entropy. Seed it from
-   // OpenSSL's pool.
-   V8::SetEntropySource(crypto::EntropySource);
-diff --git a/src/node_config.cc b/src/node_config.cc
-index 6ee3164..e229eee 100644
---- a/src/node_config.cc
-+++ b/src/node_config.cc
-@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
-   READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
- #endif  // HAVE_OPENSSL
- 
--#ifdef NODE_FIPS_MODE
-   READONLY_TRUE_PROPERTY(target, "fipsMode");
--#endif
- 
- #ifdef NODE_HAVE_I18N_SUPPORT
- 
-diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 31e8276..721c9d1 100644
---- a/src/node_crypto.cc
-+++ b/src/node_crypto.cc
-@@ -51,6 +51,11 @@
- #include <openssl/hmac.h>
- #include <openssl/rand.h>
- #include <openssl/pkcs12.h>
-+// The FIPS-related functions are only available
-+// when the OpenSSL itself was compiled with FIPS support.
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif // OPENSSL_FIPS
- 
- #include <cerrno>
- #include <climits>  // INT_MAX
-@@ -101,6 +106,7 @@ using v8::String;
- using v8::Uint32;
- using v8::Uint8Array;
- using v8::Undefined;
-+using v8::TryCatch;
- using v8::Value;
- 
- #ifdef OPENSSL_NO_OCB
-@@ -3706,12 +3712,10 @@ void CipherBase::Init(const char* cipher_type,
-   HandleScope scope(env()->isolate());
-   MarkPopErrorOnReturn mark_pop_error_on_return;
- 
--#ifdef NODE_FIPS_MODE
-   if (FIPS_mode()) {
-     return env()->ThrowError(
-         "crypto.createCipher() is not supported in FIPS mode.");
-   }
--#endif  // NODE_FIPS_MODE
- 
-   const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
-   if (cipher == nullptr)
-@@ -3897,13 +3901,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
-       return false;
-     }
- 
--#ifdef NODE_FIPS_MODE
-     // TODO(tniessen) Support CCM decryption in FIPS mode
-     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
-       env()->ThrowError("CCM decryption not supported in FIPS mode");
-       return false;
-     }
--#endif
- 
-     // Tell OpenSSL about the desired length.
-     if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
-@@ -4778,7 +4780,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
- }
- 
- static inline bool ValidateDSAParameters(EVP_PKEY* key) {
--#ifdef NODE_FIPS_MODE
-   /* Validate DSA2 parameters from FIPS 186-4 */
-   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
-     DSA* dsa = EVP_PKEY_get0_DSA(key);
-@@ -4794,7 +4795,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
-            (L == 2048 && N == 256) ||
-            (L == 3072 && N == 256);
-   }
--#endif  // NODE_FIPS_MODE
- 
-   return true;
- }
-@@ -7032,7 +7032,6 @@ void InitCryptoOnce() {
-   settings = nullptr;
- #endif
- 
--#ifdef NODE_FIPS_MODE
-   /* Override FIPS settings in cnf file, if needed. */
-   unsigned long err = 0;  // NOLINT(runtime/int)
-   if (per_process::cli_options->enable_fips_crypto ||
-@@ -7042,12 +7041,10 @@ void InitCryptoOnce() {
-     }
-   }
-   if (0 != err) {
--    fprintf(stderr,
--            "openssl fips failed: %s\n",
--            ERR_error_string(err, nullptr));
--    UNREACHABLE();
-+      auto* isolate = Isolate::GetCurrent();
-+      auto* env = Environment::GetCurrent(isolate);
-+      return ThrowCryptoError(env, err);
-   }
--#endif  // NODE_FIPS_MODE
- 
- 
-   // Turn off compression. Saves memory and protects against CRIME attacks.
-@@ -7093,7 +7090,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
- }
- #endif  // !OPENSSL_NO_ENGINE
- 
--#ifdef NODE_FIPS_MODE
- void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
-   args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
- }
-@@ -7111,7 +7107,16 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
-     return ThrowCryptoError(env, err);
-   }
- }
--#endif /* NODE_FIPS_MODE */
-+
-+void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
-+#ifdef OPENSSL_FIPS
-+  const auto enabled = FIPS_selftest() ? 1 : 0;
-+#else  // OPENSSL_FIPS
-+  const auto enabled = 0;
-+#endif  // OPENSSL_FIPS
-+
-+  args.GetReturnValue().Set(enabled);
-+}
- 
- namespace {
- // SecureBuffer uses openssl to allocate a Uint8Array using
-@@ -7147,10 +7152,17 @@ void Initialize(Local<Object> target,
-                 Local<Value> unused,
-                 Local<Context> context,
-                 void* priv) {
-+  Environment* env = Environment::GetCurrent(context);
-+
-   static uv_once_t init_once = UV_ONCE_INIT;
-+  TryCatch try_catch{env->isolate()};
-   uv_once(&init_once, InitCryptoOnce);
- 
--  Environment* env = Environment::GetCurrent(context);
-+  if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
-+    try_catch.ReThrow();
-+    return;
-+  }
-+
-   SecureContext::Initialize(env, target);
-   target->Set(env->context(),
-             FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
-@@ -7179,10 +7191,9 @@ void Initialize(Local<Object> target,
-   env->SetMethod(target, "setEngine", SetEngine);
- #endif  // !OPENSSL_NO_ENGINE
- 
--#ifdef NODE_FIPS_MODE
-   env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
-   env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
--#endif
-+  env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
- 
-   env->SetMethod(target, "pbkdf2", PBKDF2);
-   env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
-diff --git a/src/node_options.cc b/src/node_options.cc
-index 0102329..1ad44f4 100644
---- a/src/node_options.cc
-+++ b/src/node_options.cc
-@@ -753,7 +753,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
-             &PerProcessOptions::ssl_openssl_cert_store);
-   Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
-   ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
--#if NODE_FIPS_MODE
-   AddOption("--enable-fips",
-             "enable FIPS crypto at startup",
-             &PerProcessOptions::enable_fips_crypto,
-@@ -762,7 +761,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
-             "force FIPS crypto (cannot be disabled)",
-             &PerProcessOptions::force_fips_crypto,
-             kAllowedInEnvironment);
--#endif
- #endif
-   AddOption("--use-largepages",
-             "Map the Node.js static code to large pages. Options are "
-diff --git a/src/node_options.h b/src/node_options.h
-index 58a21e0..f22b254 100644
---- a/src/node_options.h
-+++ b/src/node_options.h
-@@ -243,10 +243,8 @@ class PerProcessOptions : public Options {
- #endif
-   bool use_openssl_ca = false;
-   bool use_bundled_ca = false;
--#if NODE_FIPS_MODE
-   bool enable_fips_crypto = false;
-   bool force_fips_crypto = false;
--#endif
- #endif
- 
-   // Per-process because reports can be triggered outside a known V8 context.
-diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
-index ab8cd10..7e7c77f 100644
---- a/test/parallel/test-cli-node-print-help.js
-+++ b/test/parallel/test-cli-node-print-help.js
-@@ -8,8 +8,6 @@ const common = require('../common');
- 
- const assert = require('assert');
- const { exec } = require('child_process');
--const { internalBinding } = require('internal/test/binding');
--const { fipsMode } = internalBinding('config');
- let stdOut;
- 
- 
-@@ -28,9 +26,8 @@ function validateNodePrintHelp() {
-   const cliHelpOptions = [
-     { compileConstant: HAVE_OPENSSL,
-       flags: [ '--openssl-config=...', '--tls-cipher-list=...',
--               '--use-bundled-ca', '--use-openssl-ca' ] },
--    { compileConstant: fipsMode,
--      flags: [ '--enable-fips', '--force-fips' ] },
-+               '--use-bundled-ca', '--use-openssl-ca',
-+               '--enable-fips', '--force-fips' ] },
-     { compileConstant: NODE_HAVE_I18N_SUPPORT,
-       flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
-     { compileConstant: HAVE_INSPECTOR,
-diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
-index eae3134..a1ed645 100644
---- a/test/parallel/test-crypto-fips.js
-+++ b/test/parallel/test-crypto-fips.js
-@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
- const path = require('path');
- const fixtures = require('../common/fixtures');
- const { internalBinding } = require('internal/test/binding');
--const { fipsMode } = internalBinding('config');
-+const { testFipsCrypto } = internalBinding('crypto');
- 
- const FIPS_ENABLED = 1;
- const FIPS_DISABLED = 0;
--const FIPS_ERROR_STRING =
--  'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
--  'non-FIPS build.';
- const FIPS_ERROR_STRING2 =
-   'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
-   '--force-fips at startup.';
--const OPTION_ERROR_STRING = 'bad option';
-+const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
- 
- const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
- const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
- 
- let num_children_ok = 0;
- 
--function compiledWithFips() {
--  return fipsMode ? true : false;
--}
--
- function sharedOpenSSL() {
-   return process.config.variables.node_shared_openssl;
- }
-@@ -75,17 +68,17 @@ testHelper(
- 
- // --enable-fips should turn FIPS mode on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
- // --force-fips should turn FIPS mode on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
-@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
-   testHelper(
-     'stdout',
-     [`--openssl-config=${CNF_FIPS_ON}`],
--    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
-+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
-     'require("crypto").getFips()',
-     process.env);
- 
-@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
-   testHelper(
-     'stdout',
-     [],
--    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
-+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
-     'require("crypto").getFips()',
-     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
- 
-@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
-   testHelper(
-     'stdout',
-     [`--openssl-config=${CNF_FIPS_ON}`],
--    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
-+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
-     'require("crypto").getFips()',
-     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
- }
-@@ -136,50 +129,50 @@ testHelper(
- 
- // --enable-fips should take precedence over OpenSSL config file
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
- // OPENSSL_CONF should _not_ make a difference to --enable-fips
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
- 
- // --force-fips should take precedence over OpenSSL config file
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
- // Using OPENSSL_CONF should not make a difference to --force-fips
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
- 
- // setFipsCrypto should be able to turn FIPS mode on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   [],
--  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").getFips())',
-   process.env);
- 
- // setFipsCrypto should be able to turn FIPS mode on and off
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   [],
--  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").setFips(false),' +
-   'require("crypto").getFips())',
-@@ -187,27 +180,27 @@ testHelper(
- 
- // setFipsCrypto takes precedence over OpenSSL config file, FIPS on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   [`--openssl-config=${CNF_FIPS_OFF}`],
--  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").getFips())',
-   process.env);
- 
- // setFipsCrypto takes precedence over OpenSSL config file, FIPS off
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  'stdout',
-   [`--openssl-config=${CNF_FIPS_ON}`],
--  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
-+  FIPS_DISABLED,
-   '(require("crypto").setFips(false),' +
-   'require("crypto").getFips())',
-   process.env);
- 
- // --enable-fips does not prevent use of setFipsCrypto API
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips'],
--  compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(false),' +
-   'require("crypto").getFips())',
-   process.env);
-@@ -216,15 +209,15 @@ testHelper(
- testHelper(
-   'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").setFips(false)',
-   process.env);
- 
- // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").getFips())',
-   process.env);
-@@ -233,7 +226,7 @@ testHelper(
- testHelper(
-   'stderr',
-   ['--force-fips', '--enable-fips'],
--  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").setFips(false)',
-   process.env);
- 
-@@ -241,6 +234,6 @@ testHelper(
- testHelper(
-   'stderr',
-   ['--enable-fips', '--force-fips'],
--  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").setFips(false)',
-   process.env);
-diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
-index 1c91444..1d1605d 100644
---- a/test/parallel/test-process-env-allowed-flags-are-documented.js
-+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
-@@ -45,17 +45,8 @@ const conditionalOpts = [
-     include: common.hasCrypto,
-     filter: (opt) => {
-       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
--              '--use-openssl-ca' ].includes(opt);
-+              '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
-     }
--  }, {
--    // We are using openssl_is_fips from the configuration because it could be
--    // the case that OpenSSL is FIPS compatible but fips has not been enabled
--    // (starting node with --enable-fips). If we use common.hasFipsCrypto
--    // that would only tells us if fips has been enabled, but in this case we
--    // want to check options which will be available regardless of whether fips
--    // is enabled at runtime or not.
--    include: process.config.variables.openssl_is_fips,
--    filter: (opt) => opt.includes('-fips')
-   }, {
-     include: common.hasIntl,
-     filter: (opt) => opt === '--icu-data-dir'
--- 
-2.31.1
-
diff --git a/SOURCES/deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/deps-ansi-regex-fix-potential-ReDoS.patch
index af6706f..6b243f5 100644
--- a/SOURCES/deps-ansi-regex-fix-potential-ReDoS.patch
+++ b/SOURCES/deps-ansi-regex-fix-potential-ReDoS.patch
@@ -1,4 +1,4 @@
-From e040864f2797b9c705bac5862581d5f190510e04 Mon Sep 17 00:00:00 2001
+From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Thu, 9 Dec 2021 15:48:46 +0100
 Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
@@ -10,25 +10,10 @@ This is the upstream fix [1] applied to all applicable bundled deps.
 Fixes: CVE-2021-3807
 Signed-off-by: rpm-build <rpm-build>
 ---
- deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js    | 2 +-
  .../node_modules/string-width/node_modules/ansi-regex/index.js  | 2 +-
- .../npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js | 2 +-
  deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js    | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
+ 2 files changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
-index c254480..9e37ec3 100644
---- a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
-+++ b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
-@@ -6,7 +6,7 @@ module.exports = options => {
- 	}, options);
- 
- 	const pattern = [
--		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
-+		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
- 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
- 	].join('|');
- 
 diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
 index c4aaecf..7d32201 100644
 --- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
@@ -42,19 +27,6 @@ index c4aaecf..7d32201 100644
  		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
  	].join('|');
  
-diff --git a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
-index c254480..9e37ec3 100644
---- a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
-+++ b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
-@@ -6,7 +6,7 @@ module.exports = options => {
- 	}, options);
- 
- 	const pattern = [
--		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
-+		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
- 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
- 	].join('|');
- 
 diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
 index c254480..9e37ec3 100644
 --- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
@@ -69,5 +41,5 @@ index c254480..9e37ec3 100644
  	].join('|');
  
 -- 
-2.33.1
+2.36.1
 
diff --git a/SOURCES/deps-json-schema-protect-against-prototype-pollution.patch b/SOURCES/deps-json-schema-protect-against-prototype-pollution.patch
deleted file mode 100644
index 429ec97..0000000
--- a/SOURCES/deps-json-schema-protect-against-prototype-pollution.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Thu, 9 Dec 2021 13:01:08 +0100
-Subject: [PATCH] deps(json-schema): protect against prototype pollution
-
-Amalgamation of the following upstream patches:
-https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
-https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
-https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
-
-Fixes: CVE-2021-3918
-Signed-off-by: rpm-build <rpm-build>
----
- .../node_modules/json-schema/lib/validate.js  |  4 +--
- .../node_modules/json-schema/test/tests.js    | 28 ++++++++++++++++++-
- 2 files changed, 29 insertions(+), 3 deletions(-)
-
-diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js
-index 4b61088..d05ee86 100644
---- a/deps/npm/node_modules/json-schema/lib/validate.js
-+++ b/deps/npm/node_modules/json-schema/lib/validate.js
-@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
- 			}
- 
- 			for(var i in objTypeDef){
--				if(objTypeDef.hasOwnProperty(i)){
--					var value = instance[i];
-+				if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
-+					var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
- 					// skip _not_ specified properties
- 					if (value === undefined && options.existingOnly) continue;
- 					var propDef = objTypeDef[i];
-diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js
-index 40eeda5..70f515a 100644
---- a/deps/npm/node_modules/json-schema/test/tests.js
-+++ b/deps/npm/node_modules/json-schema/test/tests.js
-@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({
- 
-     'Json-Ref self-validates': assertSelfValidates('json-ref'),
-     'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
--    'Json-Ref/Core': assertValidates('json-ref', 'schema')
-+    'Json-Ref/Core': assertValidates('json-ref', 'schema'),
-+    prototypePollution: function() {
-+        console.log('testing')
-+        const instance = JSON.parse(`
-+        {
-+        "$schema":{
-+            "type": "object",
-+            "properties":{
-+            "__proto__": {
-+                "type": "object",
-+                
-+                "properties":{
-+                "polluted": {
-+                    "type": "string",
-+                    "default": "polluted"
-+                }
-+                }
-+            }
-+            },
-+            "__proto__": {}
-+        }
-+        }`);
-+                                            
-+        const a = {};
-+        validate(instance);
-+        assert.equal(a.polluted, undefined);
-+    }
- }).export(module);
--- 
-2.33.1
-
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 9e454c5..c4c974b 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -22,11 +22,11 @@
 # feature releases that are only supported for nine months, which is shorter
 # than a Fedora release lifecycle.
 %global nodejs_major 14
-%global nodejs_minor 18
-%global nodejs_patch 2
+%global nodejs_minor 20
+%global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
-%global nodejs_release 1
+%global nodejs_release 2
 
 # == Bundled Dependency Versions ==
 # v8 - from deps/v8/include/v8-version.h
@@ -47,7 +47,7 @@
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
 %global llhttp_minor 1
-%global llhttp_patch 4
+%global llhttp_patch 5
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 
 # libuv - from deps/uv/include/uv/version.h
@@ -71,7 +71,7 @@
 # npm - from deps/npm/package.json
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 15
+%global npm_patch 17
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -137,11 +137,7 @@ Patch10: deps-Remove-statx-from-libuv.patch
 # Make icutrim work with python 2
 Patch11: Make-icutrim.py-Python-2-compatible.patch
 
-# Always defer to OS when it comes to FIPS
-Patch13: always-available-fips-options.patch
-
 # Address various CVEs in bundled deps
-Patch20: deps-json-schema-protect-against-prototype-pollution.patch
 Patch21: deps-ansi-regex-fix-potential-ReDoS.patch
 
 
@@ -314,6 +310,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
     %{?with_debug:--debug} \
     --with-dtrace --with-intl=small-icu \
     --shared-openssl --openssl-use-def-ca-store --openssl-is-fips \
+    --without-corepack \
     %{!?el7:--shared-zlib} \
     %{!?with_bootstrap:--shared-http-parser}
 
@@ -470,6 +467,13 @@ python2 tools/test.py "${RUN_SUITES[@]}" || :  # FIXME – disable all failing t
 
 
 %changelog
+* Tue Jul 26 2022 Jan Staněk <jstanek@redhat.com> - 14.20.0-2
+- Disable corepack
+
+* Tue Jul 12 2022 Jan Staněk <jstanek@redhat.com> - 14.20.0-1
+- Rebase to 14.20.0
+  Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
+
 * Thu Dec 09 2021 Jan Staněk <jstanek@redhat.com> - 14.18.2-1
 - Rebase to 14.18.2
   Resolves: rhbz#2031770 rhbz#2031774