OpenSSL outdated? Google PlayStore Security Warning!
-
Hello,
i recently received a warning from the google play store that my app is using an outdated version of openssl. So i verified it and it seems to me that QtNetwork links openssl version 1.0.0e. I am using Qt 5.4.0.
Any ideas on how to solve this problem? I could build Qt with a local and newer version of OpenSSL, but maybe there is something else?
-
Hi,
Wouldn't replacing OpenSSL be enough ? IIRC, OpenSSL is not linked by default but loaded at run time
-
It might be an problem with Google, or it might be a problem with building Android apps in Qt.
This user has reported the same issue, and his symptoms sound strange: https://forum.qt.io/topic/53870/
-
It might be an problem with Google, or it might be a problem with building Android apps in Qt.
@JKSH It seems that google implemented a scan-method to verify the OpenSSL version used by the application. From SSL i read that Qt dynamically loads any installed OpenSSL library at run-time. I assume that Qt comes with OpenSSL since i can build with Qt without an locally installed version of OpenSSL.
I'll try something out and will provide further informations as soon as possible. -
Google is probably protecting you and your users from the heartbleed vulnerability in the older OpenSSL.
http://heartbleed.com/ -
@Jeff-Andle
A list of vulnerabilities can be found here . From the list i can take that it's one MITM exploit and everything else just DOS. Also google just warns us about a possible problem, it doesn't remove nor unpublish the app. Afaik heartbleed occurs from OpenSSL version 1.0.1 to 1.0.1f until it's fix in version 1.0.1g. So version 1.0.0e shouldn't have a problem with heartbleed. Although i would like to update somehow anyway...
