OpenSSL outdated? Google PlayStore Security Warning!



  • Hello,

    i recently received a warning from the google play store that my app is using an outdated version of openssl. So i verified it and it seems to me that QtNetwork links openssl version 1.0.0e. I am using Qt 5.4.0.

    Any ideas on how to solve this problem? I could build Qt with a local and newer version of OpenSSL, but maybe there is something else?


  • Lifetime Qt Champion

    Hi,

    Wouldn't replacing OpenSSL be enough ? IIRC, OpenSSL is not linked by default but loaded at run time


  • Moderators

    It might be an problem with Google, or it might be a problem with building Android apps in Qt.

    This user has reported the same issue, and his symptoms sound strange: https://forum.qt.io/topic/53870/



  • It might be an problem with Google, or it might be a problem with building Android apps in Qt.

    @JKSH It seems that google implemented a scan-method to verify the OpenSSL version used by the application. From SSL i read that Qt dynamically loads any installed OpenSSL library at run-time. I assume that Qt comes with OpenSSL since i can build with Qt without an locally installed version of OpenSSL.
    I'll try something out and will provide further informations as soon as possible.



  • Google is probably protecting you and your users from the heartbleed vulnerability in the older OpenSSL.
    http://heartbleed.com/



  • @Jeff-Andle
    A list of vulnerabilities can be found here . From the list i can take that it's one MITM exploit and everything else just DOS. Also google just warns us about a possible problem, it doesn't remove nor unpublish the app. Afaik heartbleed occurs from OpenSSL version 1.0.1 to 1.0.1f until it's fix in version 1.0.1g. So version 1.0.0e shouldn't have a problem with heartbleed. Although i would like to update somehow anyway...



Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.