SSL issues after upgrading Ubuntu
-
I've just upgraded my machine to Ubuntu 22.04 (from 21.10) and it broke my Qt 6.2.0 application.
I send someQNetworkRequestqueries to an HTTPS server and now I get this error:[20220503 16:35:01 W] unknown:0 - QSslSocket: cannot resolve SSL_get_peer_certificate [20220503 16:35:01 W] unknown:0 - QSslSocket: cannot resolve EVP_PKEY_base_id [20220503 16:35:01 W] unknown:0 - QSslSocket: cannot call unresolved function SSL_get_peer_certificateAfter seeing this question I checked if I have some ssl packages still installed:
$ dpkg -l | grep ssl ii libflac8:amd64 1.3.3-2build2 amd64 Free Lossless Audio Codec - runtime C library ii libio-socket-ssl-perl 2.074-2 all Perl module implementing object oriented interface to SSL sockets ii libnet-smtp-ssl-perl 1.04-1 all Perl module providing SSL support to Net::SMTP ii libnet-ssleay-perl:amd64 1.92-1build2 amd64 Perl module for Secure Sockets Layer (SSL) ii libssl-dev:amd64 3.0.2-0ubuntu1 amd64 Secure Sockets Layer toolkit - development files ii libssl3:amd64 3.0.2-0ubuntu1 amd64 Secure Sockets Layer toolkit - shared libraries ii libssl3:i386 3.0.2-0ubuntu1 i386 Secure Sockets Layer toolkit - shared libraries ii libwavpack1:amd64 5.4.0-1build2 amd64 audio codec (lossy and lossless) - library ii libzstd1:amd64 1.4.8+dfsg-3build1 amd64 fast lossless compression algorithm ii libzstd1:i386 1.4.8+dfsg-3build1 i386 fast lossless compression algorithm ii openssl 3.0.2-0ubuntu1 amd64 Secure Sockets Layer toolkit - cryptographic utility ii perl-openssl-defaults:amd64 5build2 amd64 version compatibility baseline for Perl OpenSSL packages ii ssl-cert 1.1.2 all simple debconf wrapper for OpenSSL ii zstd 1.4.8+dfsg-3build1 amd64 fast lossless compression algorithm -- CLI toolThen I checked the libraries needed by my application:
$ ldd Updater linux-vdso.so.1 (0x00007ffec8176000) libQt6Network.so.6 => /home/mark/Qt/6.2.0/gcc_64/lib/libQt6Network.so.6 (0x00007f1fac82c000) libQt6Core.so.6 => /home/mark/Qt/6.2.0/gcc_64/lib/libQt6Core.so.6 (0x00007f1fac1fe000) libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f1fabfb7000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f1fabf97000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1fabd6f000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1fabd68000) libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f1fabd14000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1fabd0f000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1fabcf3000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1fabc0c000) libicui18n.so.56 => /home/mark/Qt/6.2.0/gcc_64/lib/libicui18n.so.56 (0x00007f1fab600000) libicuuc.so.56 => /home/mark/Qt/6.2.0/gcc_64/lib/libicuuc.so.56 (0x00007f1fab200000) libicudata.so.56 => /home/mark/Qt/6.2.0/gcc_64/lib/libicudata.so.56 (0x00007f1fa9800000) libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007f1fabad0000) libgthread-2.0.so.0 => /lib/x86_64-linux-gnu/libgthread-2.0.so.0 (0x00007f1fabacb000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f1fabac6000) /lib64/ld-linux-x86-64.so.2 (0x00007f1fac9ea000) libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f1fa9735000) libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f1fab5d1000) libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f1fababe000) libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f1fabab0000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f1fa96bf000) libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f1fabaa7000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f1fab5bd000)Here the
.profile:QT -= gui QT += network SOURCES += \ main.cpp \ packages.cpp \ signalshandler.cpp \ updater.cpp # Default rules for deployment. target.path = /home/user/bin INSTALLS += target HEADERS += \ packages.h \ signalshandler.h \ updater.hWith Ubuntu 21.10 the very same project worked fine.
What I have to change now? -
I partially solved following this procedure.
Now the network sections of my application runs fine.However, this broke all the other sections that require OpenSSL 3.x like QtMultimedia (gstreamer) and the MySQL plugin:
GStreamer-WARNING **: 18:10:44.471: Failed to load plugin '/usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstlibav.so': /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.0.0' not found (required by /lib/x86_64-linux-gnu/librabbitmq.so.4) $ ldd libqsqlmysql.so ./libqsqlmysql.so: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.0.0' not found (required by /lib/x86_64-linux-gnu/libmysqlclient.so.21) ...How to maintain both versions so each library can use what it needs?
-
Hi,
Can you check with a more recent version of Qt ? The latest 6.2 released or maybe 6.3 ?
There was already work done to support OpenSSL3 see this bug report.
-
Hi,
Can you check with a more recent version of Qt ? The latest 6.2 released or maybe 6.3 ?
There was already work done to support OpenSSL3 see this bug report.
-
@SGaist sorry to bump but this issue broke all my applications. For example one that uses
qtopcuanow fires the same warnings on startup:[20220509 13:55:30 W] unknown:0 - QSslSocket: cannot resolve SSL_get_peer_certificate
[20220509 13:55:30 W] unknown:0 - QSslSocket: cannot resolve EVP_PKEY_base_idbut when I try to set the application identity:
void FemtoOpcUa::setConfiguration(QOpcUaPkiConfiguration *pkiConfig) { _pkiConfig = pkiConfig; _identity = _pkiConfig->applicationIdentity(); }it crashes with a seg fault in a lalaland of dissasembled code.
Any idea how to solve this problem?
-
@SGaist sorry to bump but this issue broke all my applications. For example one that uses
qtopcuanow fires the same warnings on startup:[20220509 13:55:30 W] unknown:0 - QSslSocket: cannot resolve SSL_get_peer_certificate
[20220509 13:55:30 W] unknown:0 - QSslSocket: cannot resolve EVP_PKEY_base_idbut when I try to set the application identity:
void FemtoOpcUa::setConfiguration(QOpcUaPkiConfiguration *pkiConfig) { _pkiConfig = pkiConfig; _identity = _pkiConfig->applicationIdentity(); }it crashes with a seg fault in a lalaland of dissasembled code.
Any idea how to solve this problem?
@Mark81 said in SSL issues after upgrading Ubuntu:
it crashes with a seg fault in a lalaland of dissasembled code.
What does the debugger say?
Is pkiConfig a valid pointer? -
@Mark81 said in SSL issues after upgrading Ubuntu:
it crashes with a seg fault in a lalaland of dissasembled code.
What does the debugger say?
Is pkiConfig a valid pointer?@jsulm Here the full scenario:
#ifndef OPCUACONFIG_H #define OPCUACONFIG_H #include <QObject> #include <QOpcUaClient> class OpcUaConfig : public QObject { Q_OBJECT public: explicit OpcUaConfig(QObject *parent = nullptr); QOpcUaPkiConfiguration *pkiConfig() { return &_pkiConfig; } private: QOpcUaPkiConfiguration _pkiConfig; void setupPkiConfiguration(); bool createPkiFolders(); bool createPkiPath(const QString &path); }; #endif // OPCUACONFIG_H#include "opcuaconfig.h" #include <QCoreApplication> #include <QHostInfo> #include <QDir> const QString ID("[OPCUA-CFG]"); OpcUaConfig::OpcUaConfig(QObject *parent) : QObject(parent) { setupPkiConfiguration(); } void OpcUaConfig::setupPkiConfiguration() { QString pkidir = QCoreApplication::applicationDirPath(); pkidir += "/pki"; _pkiConfig.setClientCertificateFile(pkidir + "/own/certs/project.der"); _pkiConfig.setPrivateKeyFile(pkidir + "/own/private/project.pem"); _pkiConfig.setTrustListDirectory(pkidir + "/trusted/certs"); _pkiConfig.setRevocationListDirectory(pkidir + "/trusted/crl"); _pkiConfig.setIssuerListDirectory(pkidir + "/issuers/certs"); _pkiConfig.setIssuerRevocationListDirectory(pkidir + "/issuers/crl"); createPkiFolders(); } bool OpcUaConfig::createPkiPath(const QString &path) { const QString msg = ID + " Creating PKI path '%1': %2"; QDir dir; return dir.mkpath(path); } bool OpcUaConfig::createPkiFolders() { bool result = createPkiPath(_pkiConfig.trustListDirectory()); if (!result) return result; result = createPkiPath(_pkiConfig.revocationListDirectory()); if (!result) return result; result = createPkiPath(_pkiConfig.issuerListDirectory()); if (!result) return result; result = createPkiPath(_pkiConfig.issuerRevocationListDirectory()); if (!result) return result; return result; }Then I pass the
OpcUaConfig::pkiConfig()to the function above.
I also added:if (pkiConfig == nullptr) { qWarning() << "Invalid config"; return; }to the
MyOpcUa::setConfiguration()function and it does not catch a null pointer.
Here the screenshot of the seg fault:
And here the "detail" of the pointer:
-
@jsulm Here the full scenario:
#ifndef OPCUACONFIG_H #define OPCUACONFIG_H #include <QObject> #include <QOpcUaClient> class OpcUaConfig : public QObject { Q_OBJECT public: explicit OpcUaConfig(QObject *parent = nullptr); QOpcUaPkiConfiguration *pkiConfig() { return &_pkiConfig; } private: QOpcUaPkiConfiguration _pkiConfig; void setupPkiConfiguration(); bool createPkiFolders(); bool createPkiPath(const QString &path); }; #endif // OPCUACONFIG_H#include "opcuaconfig.h" #include <QCoreApplication> #include <QHostInfo> #include <QDir> const QString ID("[OPCUA-CFG]"); OpcUaConfig::OpcUaConfig(QObject *parent) : QObject(parent) { setupPkiConfiguration(); } void OpcUaConfig::setupPkiConfiguration() { QString pkidir = QCoreApplication::applicationDirPath(); pkidir += "/pki"; _pkiConfig.setClientCertificateFile(pkidir + "/own/certs/project.der"); _pkiConfig.setPrivateKeyFile(pkidir + "/own/private/project.pem"); _pkiConfig.setTrustListDirectory(pkidir + "/trusted/certs"); _pkiConfig.setRevocationListDirectory(pkidir + "/trusted/crl"); _pkiConfig.setIssuerListDirectory(pkidir + "/issuers/certs"); _pkiConfig.setIssuerRevocationListDirectory(pkidir + "/issuers/crl"); createPkiFolders(); } bool OpcUaConfig::createPkiPath(const QString &path) { const QString msg = ID + " Creating PKI path '%1': %2"; QDir dir; return dir.mkpath(path); } bool OpcUaConfig::createPkiFolders() { bool result = createPkiPath(_pkiConfig.trustListDirectory()); if (!result) return result; result = createPkiPath(_pkiConfig.revocationListDirectory()); if (!result) return result; result = createPkiPath(_pkiConfig.issuerListDirectory()); if (!result) return result; result = createPkiPath(_pkiConfig.issuerRevocationListDirectory()); if (!result) return result; return result; }Then I pass the
OpcUaConfig::pkiConfig()to the function above.
I also added:if (pkiConfig == nullptr) { qWarning() << "Invalid config"; return; }to the
MyOpcUa::setConfiguration()function and it does not catch a null pointer.
Here the screenshot of the seg fault:And here the "detail" of the pointer:
@Mark81 said in SSL issues after upgrading Ubuntu:
I also added:
if (pkiConfig == nullptr)A pointer can be != nullptr but still invalid (pointing to not allocated memory). Where is setConfiguration called?
In the screen-shot I see FemtoOpcUi::setConfiguration but you write about MyOpcUa::setConfiguration()?
-
@Mark81 said in SSL issues after upgrading Ubuntu:
I also added:
if (pkiConfig == nullptr)A pointer can be != nullptr but still invalid (pointing to not allocated memory). Where is setConfiguration called?
In the screen-shot I see FemtoOpcUi::setConfiguration but you write about MyOpcUa::setConfiguration()?
@jsulm ok, so how to check if a pointer is valid? I only knew about checking if != null.
In another class I have this function:
void Engine::initMachines() { QSqlQuery query = _machines.items(); while (query.next()) { QString name = query.value("name").toString(); MyPlc *plc = new MyPlc(name); _mapPlc.insert(name, plc); QUrl url; url.setUrl(QString("opc.tcp://%1").arg(query.value("address").toString())); url.setPort(PLC_PORT); plc->setConfiguration(_opcUaConfig.pkiConfig()); plc->connectToServer(url); } }and:
class MyPlc : public QObject { Q_OBJECT public: explicit MyPlc(QString name, QObject *parent = nullptr); ~MyPlc(); void setConfiguration(QOpcUaPkiConfiguration *pkiConfig) { _opcua.setConfiguration(pkiConfig); } // ... } private: FemtoOpcUa _opcua;where
FemtoOpcUa::setConfiguration()is the function reported in the first message.Before upgrading to 22.04 all worked fine with this very same code.
-
@jsulm ok, so how to check if a pointer is valid? I only knew about checking if != null.
In another class I have this function:
void Engine::initMachines() { QSqlQuery query = _machines.items(); while (query.next()) { QString name = query.value("name").toString(); MyPlc *plc = new MyPlc(name); _mapPlc.insert(name, plc); QUrl url; url.setUrl(QString("opc.tcp://%1").arg(query.value("address").toString())); url.setPort(PLC_PORT); plc->setConfiguration(_opcUaConfig.pkiConfig()); plc->connectToServer(url); } }and:
class MyPlc : public QObject { Q_OBJECT public: explicit MyPlc(QString name, QObject *parent = nullptr); ~MyPlc(); void setConfiguration(QOpcUaPkiConfiguration *pkiConfig) { _opcua.setConfiguration(pkiConfig); } // ... } private: FemtoOpcUa _opcua;where
FemtoOpcUa::setConfiguration()is the function reported in the first message.Before upgrading to 22.04 all worked fine with this very same code.
@Mark81 said in SSL issues after upgrading Ubuntu:
@jsulm ok, so how to check if a pointer is valid? I only knew about checking if != null.
You can't. Other than maybe poking around in a debugger.
I'm not saying it will reveal much in this case, but when it crashes show the stack trace window,, which would tell us anything of interest about where what has been called from....
-
@Mark81 said in SSL issues after upgrading Ubuntu:
@jsulm ok, so how to check if a pointer is valid? I only knew about checking if != null.
You can't. Other than maybe poking around in a debugger.
I'm not saying it will reveal much in this case, but when it crashes show the stack trace window,, which would tell us anything of interest about where what has been called from....
-
@JonB sorry but where is the "stack trace" window? I only know the "call stack trace" window but as you can see above is filled of
??. -
@Mark81 said in SSL issues after upgrading Ubuntu:
I also added:
if (pkiConfig == nullptr)A pointer can be != nullptr but still invalid (pointing to not allocated memory). Where is setConfiguration called?
In the screen-shot I see FemtoOpcUi::setConfiguration but you write about MyOpcUa::setConfiguration()?
-
@jsulm ok, so how to check if a pointer is valid? I only knew about checking if != null.
In another class I have this function:
void Engine::initMachines() { QSqlQuery query = _machines.items(); while (query.next()) { QString name = query.value("name").toString(); MyPlc *plc = new MyPlc(name); _mapPlc.insert(name, plc); QUrl url; url.setUrl(QString("opc.tcp://%1").arg(query.value("address").toString())); url.setPort(PLC_PORT); plc->setConfiguration(_opcUaConfig.pkiConfig()); plc->connectToServer(url); } }and:
class MyPlc : public QObject { Q_OBJECT public: explicit MyPlc(QString name, QObject *parent = nullptr); ~MyPlc(); void setConfiguration(QOpcUaPkiConfiguration *pkiConfig) { _opcua.setConfiguration(pkiConfig); } // ... } private: FemtoOpcUa _opcua;where
FemtoOpcUa::setConfiguration()is the function reported in the first message.Before upgrading to 22.04 all worked fine with this very same code.
@Mark81 said in SSL issues after upgrading Ubuntu:
plc->setConfiguration(_opcUaConfig.pkiConfig());
What is _opcUaConfig? Was it initialized properly?
-
@Mark81 said in SSL issues after upgrading Ubuntu:
plc->setConfiguration(_opcUaConfig.pkiConfig());
What is _opcUaConfig? Was it initialized properly?
-
I think you needlessly delved into the debugger.
I came across the same bug. When upgrading ubuntu to version 22.04 LTS, I installed the current Qt 6.3.0, I got the same warnings as you.qt.network.ssl: QSslSocket: cannot resolve EVP_PKEY_base_id qt.network.ssl: QSslSocket: cannot resolve SSL_get_peer_certificateThe most simple example of code that already issues a warning:
#include <QCoreApplication> #include <QSslConfiguration> int main(int argc, char *argv[]) { QCore Application a(argc, argv); qWarning()<<"QSslSocket supportsSsl =>"<<QSslSocket::supportsSsl(); qWarning()<<"QSslSocket build version =>"<<QSslSocket::sslLibraryBuildVersionString(); qWarning()<<"QSslSocket version =>"<<QSslSocket::sslLibraryVersionString(); return a.exec(); }I checked the same code on another machine with ubuntu 21.04, there were no warnings.
The new ubuntu already has openssl 3.0.2-0ubuntu1.2 installed, while the previous ubuntu had openssl 1.1.1j installed
I believe QSslSocket incorrectly accesses the EVP_PKEY_base_id and SSL_get_peer_certificate keys -
I think you needlessly delved into the debugger.
I came across the same bug. When upgrading ubuntu to version 22.04 LTS, I installed the current Qt 6.3.0, I got the same warnings as you.qt.network.ssl: QSslSocket: cannot resolve EVP_PKEY_base_id qt.network.ssl: QSslSocket: cannot resolve SSL_get_peer_certificateThe most simple example of code that already issues a warning:
#include <QCoreApplication> #include <QSslConfiguration> int main(int argc, char *argv[]) { QCore Application a(argc, argv); qWarning()<<"QSslSocket supportsSsl =>"<<QSslSocket::supportsSsl(); qWarning()<<"QSslSocket build version =>"<<QSslSocket::sslLibraryBuildVersionString(); qWarning()<<"QSslSocket version =>"<<QSslSocket::sslLibraryVersionString(); return a.exec(); }I checked the same code on another machine with ubuntu 21.04, there were no warnings.
The new ubuntu already has openssl 3.0.2-0ubuntu1.2 installed, while the previous ubuntu had openssl 1.1.1j installed
I believe QSslSocket incorrectly accesses the EVP_PKEY_base_id and SSL_get_peer_certificate keys
