Does Qt 5.15 support OpenSSL 3.x?

Taytoo

Is there a way to request support for OpenSSL 3 in Qt 5.15? The support for 5.15 LTS lasts till May 2025, whereas OpenSSL 1.1.1 support will end in Nov 2023. Afterwards a critical part of any modern software will be vulnerable to exploitation since users of 5.15 won't be able to use OpenSSL 3?

jsulm

@Taytoo said in Does Qt 5.15 support OpenSSL 3.x?:

Is there a way to request

https://bugreports.qt.io/secure/Dashboard.jspa

Taytoo

Contacted support, they are working on porting changes from Qt6 to 5 and while it may not be officially supported, we will be able to compile the framework using openssl 3.x.

julianoes

@Taytoo did you ever get a resolution on this topic?

And to get the fixes, did you have to rebuild Qt yourself? If so, do you have any links how that's done?

I created a bug report regarding Qt 5.15 on platforms like Ubuntu 22.04 which don't ship with openssl v1 but I couldn't quite get a straight answer: https://bugreports.qt.io/browse/QTBUG-115146

SGaist

@julianoes hi,

If the support has been backported, then you have to get the corresponding (or later) sources and build Qt yourself. Depending on the distribution you use, its own Qt version may already be patched to support OpenSSL v3.

QuantumTransistor

I tried compiling the open-source Qt 5.15.10 with OpenSSL 3.1.1 in Windows 11 (VS 2022) using:

-openssl-runtime OPENSSL_INCDIR="C:\Path\Tp\OpenSSL\3.1.1\include"

in the configure call. Compiling Qt worked fine, but at run time, QSslSocket::sslLibraryBuildVersionString() returns

Qt OpenSSL build version: "OpenSSL 3.1.1 30 May 2023"
[2023-07-18 8:34:19.625][W][qt.network.ssl] `anonymous-namespace'::qsslSocketCannotResolveSymbolWarning():132 - QSslSocket: cannot resolve EVP_PKEY_base_id
[2023-07-18 8:34:19.625][W][qt.network.ssl] `anonymous-namespace'::qsslSocketCannotResolveSymbolWarning():132 - QSslSocket: cannot resolve SSL_get_peer_certificate

I'm still not sure if OpenSSL 3.x is fundamentally incompatible with Qt 5.15.x, or if other changes are needed.

(Note, I followed the same compiling and linking steps which work with Qt 5.15.x and OpenSSL 1.1.1).

Taytoo

@QuantumTransistor I link with openssl statically and also use vcpkg to manage external libraries - makes it really easy to update libraries in few simple commands.

Anyway, you need to specify path to library and header files e.g. part of my configure command:

-openssl-linked OPENSSL_LIBS="-llibssl -llibcrypto -lws2_32 -lAdvapi32 -lCrypt32 -lUser32" -I C:\Dev\vcpkg\installed\x86-windows-static\include -I C:\Dev\vcpkg\installed\x86-windows-static\include\openssl -L C:\Dev\vcpkg\installed\x86-windows-static\lib

julianoes

@SGaist said in Does Qt 5.15 support OpenSSL 3.x?:

Depending on the distribution you use, its own Qt version may already be patched to support OpenSSL v3.

That's an interesting comment. Thanks @SGaist. So far, we always downloaded Qt using the installer and used that to build. Depending on the OS (ubuntu 22.04) one tended to be tricky and the wrong version but I might give that a try.

It's a shame that Qt doesn't make a patch release to fixup something security related like that.

JKSH

@julianoes said in Does Qt 5.15 support OpenSSL 3.x?:

It's a shame that Qt doesn't make a patch release to fixup something security related like that.

Qt 5.15 has reached end-of-life (see https://www.qt.io/blog/qt-5.15-support-ends ). When security is important, use an actively-maintained version. Qt 6.5 uses OpenSSL 3 by default.

QuantumTransistor

Thanks @Taytoo, I'll give static linking a try. Which version of Qt are you using? This bug report gives a patch for using 5.15.9 with OpenSSL 3. I'm using 5.15.10 (the latest available open-source), and not sure if a similar patch is still needed.

QuantumTransistor

Following the suggestion from @Taytoo, I got Qt5.15.10 and OpenSSL 3.1.1 to work correctly for my application.

OpenSSL configure settings were:

-openssl-linked OPENSSL_INCDIR="C:\Path\To\OpenSSL\3.1.1\include" OPENSSL_LIBDIR="C:\Path\To\OpenSSL\3.1.1\lib\VC\static" OPENSSL_LIBS="-lWs2_32 -lGdi32 -lAdvapi32 -lCrypt32 -lUser32" OPENSSL_LIBS_DEBUG="-llibssl64MDd -llibcrypto64MDd" OPENSSL_LIBS_RELEASE="-llibssl64MD -llibcrypto64MD"

Still a bit puzzled why -openssl-runtime doesn't work, but I'll keep trying now that I know the codes are compatible.

Taytoo

@QuantumTransistor I've never linked with openssl dynamically, so can't really help with that. Try changing Lib path to point towards .so/.dll files instead and see if that works.

seyed

I used OpenSSL 3 to build Qt 5.15.10 successfully, but at runtime, I faced problems:

qt.network.ssl: QSslSocket: cannot resolve EVP_PKEY_base_id
qt.network.ssl: QSslSocket: cannot resolve SSL_get_peer_certificate
Build version: "OpenSSL 3.1.1 30 May 2023"
Run version: "OpenSSL 3.1.1 30 May 2023"
Supports SSL: true

Finally, porting changes from Qt 6 to 5 results in a successful build and run. 🎉
Read my gist for steps

QuantumTransistor

@seyed - I used the patch from your gist and was able to successfully build and use Qt 5.15.10 with OpenSSL 3.1.2 using -openssl-runtime. Thanks!! 🎉

ocgltd

I hope to avoid rebuilding Qt + patches. Will Qt release a 5.15.x update that will allow compilation against openssl 3 ?

SGaist

@ocgltd if memory serves well, the 5.15 LTS has support for OpenSSL 3 so it should eventually come to be.

You might want to check the KDE patch set for Qt.

QuantumTransistor

@ocgltd according to a comment on this bug report, OpenSSL 3 is supported with Qt 5.15.13 onwards. If you are using the open-source version, this should be available 9 March 2024 (one year after the commercial release date).

piervalli

@QuantumTransistor
Openssl works with 5.15.13 (open source) but we need to compiare with c++17

SGaist

@piervalli what issue do you have with C++17 ?
Qt 5 requires C++11 and OpenSSL is C.

piervalli

@SGaist
The issue is with Qt 5.15.13 and build by source I haved setted c++17 for that error.
text\qlocale_win.cpp:498:60: error: 'size' is not a member of 'std'

I used Mingw 8.1