deps: update OpenSSL to 3.0.17

[nodejs-github-bot]

This is an automated update of OpenSSL to 3.0.17.

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[richardlau]

FYI I'm testing the automation.

[richardlau]

This was opened by https://github.com/nodejs/node/actions/runs/14779389322/job/41494768590, running on the branch for #58098.

[richardlau]

Marked [do not land] (and labelled blocked). The intention is to land #58099 and #58100 and then run the updater workflow from main to do the proper upgrade (e.g. in this PR the commits from #58098 have been squashed into the first commit, which isn't what we want).

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/66533/

[richardlau]

CI: https://ci.nodejs.org/job/node-test-pull-request/66533/

https://ci.nodejs.org/job/node-test-commit-linux/nodes=rhel8-x64/64390/console

02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s: Assembler messages:
02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s:85: Error: unsupported instruction `vpmadd52luq'
02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s:86: Error: unsupported instruction `vpmadd52luq'
...

So the build failures are a surprise as I wasn't seeing those locally (Linux x64). On further investigation it looks like some of the config files, specifically some of the assembly *.s files, are different when run on GitHub workflow vs generating them locally with deps/openssl/config/Dockerfile.

For example, compare

• https://github.com/nodejs/node/blob/8573b4a8018920b95fdfc8e989c22c3c017a90d8/deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s (1167 lines)
• https://github.com/richardlau/node-1/blob/537b8710d483ef67d129080f5ad509f90ff480db/deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s (40 lines)

I think this is partly due to openssl/openssl#25751 and e.g.

node/deps/openssl/openssl/crypto/bn/asm/rsaz-2k-avxifma.pl

Lines 30 to 34 in 8573b4a

	# TODO: Find out the version of NASM that supports VEX-encoded AVX-IFMA instructions
	if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
	=~ /GNU assembler version ([2-9]\.[0-9]+)/) {
	$avxifma = ($1>=2.40);
	}

which is sensitive to GNU assembler version.

The version of GNU assembler in the Dockerfile (Ubuntu 20.04) is 2.34. My RHEL 9 build environment has GNU assembler 2.38. Both of those are less than 2.40. Ubuntu 24.04 appears to have GNU assembler 2.42, which passes the above check. The build in Jenkins will be running with different versions of GNU assembler depending on the installed version of binutils.