Discussion:
[Interest] Qt Android with OpenSSL problems "OpenSSL vulnerabilities in your apps"
Nguyen Ngoc Thach Chau
2018-10-29 07:58:20 UTC
Permalink
Dear supporters

I'm using Qt Android for mobile project.
When I upload APK file to Google Play Store, they always send me an alert
as below
=============
https://support.google.com/faqs/answer/6376725
=============
I checked APK, it is return openSSL 1.0.2k but it is confusing then I want
to ask to make sure
I searched Google a lot and applied some solutions:
- Add library file to "android\libs\armeabi-v7a" folder
- Add library path to .pro file
=======
android {

ANDROID_PACKAGE_SOURCE_DIR = $$PWD/android
contains(ANDROID_TARGET_ARCH,armeabi-v7a) {
ANDROID_EXTRA_LIBS = \
$$PWD/android/libs/armeabi-v7a/libcrypto.so \
$$PWD/android/libs/armeabi-v7a/libssl.so
}
OTHER_FILES += \
# android/build.gradle \
libs/armeabi-v7a/libcrypto.so \
libs/armeabi-v7a/libssl.so \
android/AndroidManifest.xml

}
==========

The question is:
When I'm checking output of build process
("...android-build\libs\armeabi-v7a" folder)
I always see old openSSL library file (libcrypto.so / libssl.so).
I also see that my library files are copied but they are replaced by old
library files (may be it is process of Qt)
=> How can I prevent Qt replace my library file in this cases ?
=> Is there any success case that use Qt to build Android game / app for Qt
recently ? ( before, I already uploaded successfully some apps, but from 2
months ago. I can not upload any more because of this problem)

Note:
- NDK: android-ndk-r17c
- Java: Java\jdk1.8.0_111
- Qt: 5.9.4 => I can upgrade this if needed
- SDK: Android SDK (build tool v25.0.3, android build sdk 28)
- target: min API 16, max API 26
- error details: https://support.google.com/faqs/answer/6376725
René Hansen
2018-10-29 08:33:46 UTC
Permalink
Try to make sure you're actually on the right version, from inside the app.
Ie, what does *OpenSSL_version(OPENSSL_VERSION)* return? Your setting of
*ANDROID_EXTRA_LIBS* looks correct enough.

/René
Post by Nguyen Ngoc Thach Chau
Dear supporters
I'm using Qt Android for mobile project.
When I upload APK file to Google Play Store, they always send me an alert
as below
=============
https://support.google.com/faqs/answer/6376725
=============
I checked APK, it is return openSSL 1.0.2k but it is confusing then I want
to ask to make sure
- Add library file to "android\libs\armeabi-v7a" folder
- Add library path to .pro file
=======
android {
ANDROID_PACKAGE_SOURCE_DIR = $$PWD/android
contains(ANDROID_TARGET_ARCH,armeabi-v7a) {
ANDROID_EXTRA_LIBS = \
$$PWD/android/libs/armeabi-v7a/libcrypto.so \
$$PWD/android/libs/armeabi-v7a/libssl.so
}
OTHER_FILES += \
# android/build.gradle \
libs/armeabi-v7a/libcrypto.so \
libs/armeabi-v7a/libssl.so \
android/AndroidManifest.xml
}
==========
When I'm checking output of build process
("...android-build\libs\armeabi-v7a" folder)
I always see old openSSL library file (libcrypto.so / libssl.so).
I also see that my library files are copied but they are replaced by old
library files (may be it is process of Qt)
=> How can I prevent Qt replace my library file in this cases ?
=> Is there any success case that use Qt to build Android game / app for
Qt recently ? ( before, I already uploaded successfully some apps, but from
2 months ago. I can not upload any more because of this problem)
- NDK: android-ndk-r17c
- Java: Java\jdk1.8.0_111
- Qt: 5.9.4 => I can upgrade this if needed
- SDK: Android SDK (build tool v25.0.3, android build sdk 28)
- target: min API 16, max API 26
- error details: https://support.google.com/faqs/answer/6376725
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
Nguyen Ngoc Thach Chau
2018-10-29 09:38:17 UTC
Permalink
Thank you Rene

I check by source code functions below:
====
long sslLibraryVersionNumber
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryVersionNumber>()
QString sslLibraryVersionString
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryVersionString>()
long sslLibraryBuildVersionNumber
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryBuildVersionNumber>()
QString sslLibraryBuildVersionString
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryBuildVersionString>()

=======


Here is output

====

268439647

"OpenSSL 1.0.1e 11 Feb 2013"

268443903

"OpenSSL 1.0.2o 27 Mar 2018"

====


I still can not figure out why it is 1.0.1e.....

Does it related to graddle build version ?

I checked output folder and see it is using as below

*classpath 'com.android.tools.build:gradle:2.2.3'*
Post by René Hansen
Try to make sure you're actually on the right version, from inside the
app. Ie, what does *OpenSSL_version(OPENSSL_VERSION)* return? Your
setting of *ANDROID_EXTRA_LIBS* looks correct enough.
/René
Post by Nguyen Ngoc Thach Chau
Dear supporters
I'm using Qt Android for mobile project.
When I upload APK file to Google Play Store, they always send me an alert
as below
=============
https://support.google.com/faqs/answer/6376725
=============
I checked APK, it is return openSSL 1.0.2k but it is confusing then I
want to ask to make sure
- Add library file to "android\libs\armeabi-v7a" folder
- Add library path to .pro file
=======
android {
ANDROID_PACKAGE_SOURCE_DIR = $$PWD/android
contains(ANDROID_TARGET_ARCH,armeabi-v7a) {
ANDROID_EXTRA_LIBS = \
$$PWD/android/libs/armeabi-v7a/libcrypto.so \
$$PWD/android/libs/armeabi-v7a/libssl.so
}
OTHER_FILES += \
# android/build.gradle \
libs/armeabi-v7a/libcrypto.so \
libs/armeabi-v7a/libssl.so \
android/AndroidManifest.xml
}
==========
When I'm checking output of build process
("...android-build\libs\armeabi-v7a" folder)
I always see old openSSL library file (libcrypto.so / libssl.so).
I also see that my library files are copied but they are replaced by old
library files (may be it is process of Qt)
=> How can I prevent Qt replace my library file in this cases ?
=> Is there any success case that use Qt to build Android game / app for
Qt recently ? ( before, I already uploaded successfully some apps, but from
2 months ago. I can not upload any more because of this problem)
- NDK: android-ndk-r17c
- Java: Java\jdk1.8.0_111
- Qt: 5.9.4 => I can upgrade this if needed
- SDK: Android SDK (build tool v25.0.3, android build sdk 28)
- target: min API 16, max API 26
- error details: https://support.google.com/faqs/answer/6376725
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
René Hansen
2018-10-29 09:51:19 UTC
Permalink
It looks like you're bundling the stale version of OpenSSL. Try deleting
your *build-* folder to get a fresh one and maybe set *ANDROID_EXTRA_LIBS *to
point directly to the libs outside of your project folder.

/René
Post by Nguyen Ngoc Thach Chau
Thank you Rene
====
long sslLibraryVersionNumber
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryVersionNumber>()
QString sslLibraryVersionString
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryVersionString>()
long sslLibraryBuildVersionNumber
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryBuildVersionNumber>()
QString sslLibraryBuildVersionString
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryBuildVersionString>()
=======
Here is output
====
268439647
"OpenSSL 1.0.1e 11 Feb 2013"
268443903
"OpenSSL 1.0.2o 27 Mar 2018"
====
I still can not figure out why it is 1.0.1e.....
Does it related to graddle build version ?
I checked output folder and see it is using as below
*classpath 'com.android.tools.build:gradle:2.2.3'*
Post by René Hansen
Try to make sure you're actually on the right version, from inside the
app. Ie, what does *OpenSSL_version(OPENSSL_VERSION)* return? Your
setting of *ANDROID_EXTRA_LIBS* looks correct enough.
/René
Post by Nguyen Ngoc Thach Chau
Dear supporters
I'm using Qt Android for mobile project.
When I upload APK file to Google Play Store, they always send me an
alert as below
=============
https://support.google.com/faqs/answer/6376725
=============
I checked APK, it is return openSSL 1.0.2k but it is confusing then I
want to ask to make sure
- Add library file to "android\libs\armeabi-v7a" folder
- Add library path to .pro file
=======
android {
ANDROID_PACKAGE_SOURCE_DIR = $$PWD/android
contains(ANDROID_TARGET_ARCH,armeabi-v7a) {
ANDROID_EXTRA_LIBS = \
$$PWD/android/libs/armeabi-v7a/libcrypto.so \
$$PWD/android/libs/armeabi-v7a/libssl.so
}
OTHER_FILES += \
# android/build.gradle \
libs/armeabi-v7a/libcrypto.so \
libs/armeabi-v7a/libssl.so \
android/AndroidManifest.xml
}
==========
When I'm checking output of build process
("...android-build\libs\armeabi-v7a" folder)
I always see old openSSL library file (libcrypto.so / libssl.so).
I also see that my library files are copied but they are replaced by old
library files (may be it is process of Qt)
=> How can I prevent Qt replace my library file in this cases ?
=> Is there any success case that use Qt to build Android game / app for
Qt recently ? ( before, I already uploaded successfully some apps, but from
2 months ago. I can not upload any more because of this problem)
- NDK: android-ndk-r17c
- Java: Java\jdk1.8.0_111
- Qt: 5.9.4 => I can upgrade this if needed
- SDK: Android SDK (build tool v25.0.3, android build sdk 28)
- target: min API 16, max API 26
- error details: https://support.google.com/faqs/answer/6376725
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
Nguyen Ngoc Thach Chau
2018-10-29 15:01:46 UTC
Permalink
Yes. I did it but Play Store keep alert again :(
I also build new OpenSSL 1.0.2p
About using command "sslLibraryVersionString
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryVersionString>()", I still
get openSSL 1.0.1e
I check build folder, new library (1.0.2p) are there.
Any hints :( ?
Post by René Hansen
It looks like you're bundling the stale version of OpenSSL. Try deleting
your *build-* folder to get a fresh one and maybe set *ANDROID_EXTRA_LIBS
*to point directly to the libs outside of your project folder.
/René
Post by Nguyen Ngoc Thach Chau
Thank you Rene
====
long sslLibraryVersionNumber
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryVersionNumber>()
QString sslLibraryVersionString
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryVersionString>()
long sslLibraryBuildVersionNumber
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryBuildVersionNumber>()
QString sslLibraryBuildVersionString
<http://doc.qt.io/qt-5/qsslsocket.html#sslLibraryBuildVersionString>()
=======
Here is output
====
268439647
"OpenSSL 1.0.1e 11 Feb 2013"
268443903
"OpenSSL 1.0.2o 27 Mar 2018"
====
I still can not figure out why it is 1.0.1e.....
Does it related to graddle build version ?
I checked output folder and see it is using as below
*classpath 'com.android.tools.build:gradle:2.2.3'*
Post by René Hansen
Try to make sure you're actually on the right version, from inside the
app. Ie, what does *OpenSSL_version(OPENSSL_VERSION)* return? Your
setting of *ANDROID_EXTRA_LIBS* looks correct enough.
/René
Post by Nguyen Ngoc Thach Chau
Dear supporters
I'm using Qt Android for mobile project.
When I upload APK file to Google Play Store, they always send me an
alert as below
=============
https://support.google.com/faqs/answer/6376725
=============
I checked APK, it is return openSSL 1.0.2k but it is confusing then I
want to ask to make sure
- Add library file to "android\libs\armeabi-v7a" folder
- Add library path to .pro file
=======
android {
ANDROID_PACKAGE_SOURCE_DIR = $$PWD/android
contains(ANDROID_TARGET_ARCH,armeabi-v7a) {
ANDROID_EXTRA_LIBS = \
$$PWD/android/libs/armeabi-v7a/libcrypto.so \
$$PWD/android/libs/armeabi-v7a/libssl.so
}
OTHER_FILES += \
# android/build.gradle \
libs/armeabi-v7a/libcrypto.so \
libs/armeabi-v7a/libssl.so \
android/AndroidManifest.xml
}
==========
When I'm checking output of build process
("...android-build\libs\armeabi-v7a" folder)
I always see old openSSL library file (libcrypto.so / libssl.so).
I also see that my library files are copied but they are replaced by
old library files (may be it is process of Qt)
=> How can I prevent Qt replace my library file in this cases ?
=> Is there any success case that use Qt to build Android game / app
for Qt recently ? ( before, I already uploaded successfully some apps, but
from 2 months ago. I can not upload any more because of this problem)
- NDK: android-ndk-r17c
- Java: Java\jdk1.8.0_111
- Qt: 5.9.4 => I can upgrade this if needed
- SDK: Android SDK (build tool v25.0.3, android build sdk 28)
- target: min API 16, max API 26
- error details: https://support.google.com/faqs/answer/6376725
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
Thiago Macieira
2018-10-29 16:17:25 UTC
Permalink
Post by Nguyen Ngoc Thach Chau
I checked APK, it is return openSSL 1.0.2k but it is confusing then I want
1.0.2k is not up-to-date. Upgrade to 1.0.2p.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
René Hansen
2018-10-29 17:22:50 UTC
Permalink
Nguyen, I've just updated from 1.0.2n in my own app to 1.0.2p, using my own
homegrown build system for OpenSSL.

It seems to work and I can complete https request just fine. This is what I
get in the app when I query the version:

main.cpp:117 (int main(int, char**)): sslLibraryVersionString() "OpenSSL
1.0.2p 14 Aug 2018"

I don't know it will solve your problem, but maybe it's worth trying a
different build. Here's the link: https://github.com/rhardih/bad.

The readme has instructions, but basically it's just:


1. Clone repo
2. Run make openssl
3. Extract libs

This is the Android part of the .pri file I use for OpenSSL:

linux:android {
OSSL_BUILD_PATH =
/Users/rene/Code/bad/extracted/openssl-1.0.2p-armv7-a-build

ANDROID_EXTRA_LIBS += \
$$OSSL_BUILD_PATH/lib/libcrypto.so \
$$OSSL_BUILD_PATH/lib/libssl.so
}

/René
Post by Thiago Macieira
Post by Nguyen Ngoc Thach Chau
I checked APK, it is return openSSL 1.0.2k but it is confusing then I
want
1.0.2k is not up-to-date. Upgrade to 1.0.2p.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
Nguyen Ngoc Thach Chau
2018-10-31 01:33:36 UTC
Permalink
The problem is not about send HTTPS request,
It is about Google Play Store rejection.
Google Play Store still alert me about OpenSSL library & do not let me
upload to play store
Refer alert here: https://support.google.com/faqs/answer/6376725
:( I update library and re-upload but still do not success.
I ask Google but they may not give any answer
Post by René Hansen
Nguyen, I've just updated from 1.0.2n in my own app to 1.0.2p, using my
own homegrown build system for OpenSSL.
It seems to work and I can complete https request just fine. This is what
main.cpp:117 (int main(int, char**)): sslLibraryVersionString() "OpenSSL
1.0.2p 14 Aug 2018"
I don't know it will solve your problem, but maybe it's worth trying a
different build. Here's the link: https://github.com/rhardih/bad.
1. Clone repo
2. Run make openssl
3. Extract libs
linux:android {
OSSL_BUILD_PATH =
/Users/rene/Code/bad/extracted/openssl-1.0.2p-armv7-a-build
ANDROID_EXTRA_LIBS += \
$$OSSL_BUILD_PATH/lib/libcrypto.so \
$$OSSL_BUILD_PATH/lib/libssl.so
}
/René
Post by Thiago Macieira
Post by Nguyen Ngoc Thach Chau
I checked APK, it is return openSSL 1.0.2k but it is confusing then I
want
1.0.2k is not up-to-date. Upgrade to 1.0.2p.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
René Hansen
2018-10-31 09:13:10 UTC
Permalink
Somehow it seems you're still bundling 1.0.1e, so that's what you need to
look for. I'm not sure where to start, since I don't know your specific
project but afaik OpenSSL was a manual include as far back as 5.6
<http://doc.qt.io/qt-5.6/opensslsupport.html>, so the version you're using,
5.9.4, shouldn't be doing any magic stuff either. /René
Post by Nguyen Ngoc Thach Chau
The problem is not about send HTTPS request,
It is about Google Play Store rejection.
Google Play Store still alert me about OpenSSL library & do not let me
upload to play store
Refer alert here: https://support.google.com/faqs/answer/6376725
:( I update library and re-upload but still do not success.
I ask Google but they may not give any answer
Post by René Hansen
Nguyen, I've just updated from 1.0.2n in my own app to 1.0.2p, using my
own homegrown build system for OpenSSL.
It seems to work and I can complete https request just fine. This is what
main.cpp:117 (int main(int, char**)): sslLibraryVersionString() "OpenSSL
1.0.2p 14 Aug 2018"
I don't know it will solve your problem, but maybe it's worth trying a
different build. Here's the link: https://github.com/rhardih/bad.
1. Clone repo
2. Run make openssl
3. Extract libs
linux:android {
OSSL_BUILD_PATH =
/Users/rene/Code/bad/extracted/openssl-1.0.2p-armv7-a-build
ANDROID_EXTRA_LIBS += \
$$OSSL_BUILD_PATH/lib/libcrypto.so \
$$OSSL_BUILD_PATH/lib/libssl.so
}
/René
Post by Thiago Macieira
Post by Nguyen Ngoc Thach Chau
I checked APK, it is return openSSL 1.0.2k but it is confusing then I
want
1.0.2k is not up-to-date. Upgrade to 1.0.2p.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
_______________________________________________
Interest mailing list
http://lists.qt-project.org/mailman/listinfo/interest
Loading...