@ricardo v3.11 already fix it?
I have created an issue: https://github.com/cocos2d/cocos2d-x/issues/15359.
@ricardo v3.11 already fix it?
I have created an issue: https://github.com/cocos2d/cocos2d-x/issues/15359.
If you want to check it:
$ unzip -p YourApp.apk | strings | grep “OpenSSL”
Or like this, it’s nice:
#!/bin/bash
# USAGE: testopenssl.sh APK_File
sslworkdir="ssl_work_dir"
if [ ! -d $sslworkdir ]; then
mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
echo "Found OpenSSL versions"
printf "%s\n" "${opensslarr[@]}"
heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#heartbeatarr[@]} -gt 0 ]; then
echo "Files that contains heartbeat methods:"
printf "%s\n" "${heartbeatarr[@]}"
else
echo "No libraries contain heartbeat methods"
fi
else
echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir
Thanks devs!
@zhangxm I think we are using “1.0.1l” for v3.11, and we should use 1.0.1r or higher.
so, it is not fixed on v3.11.
+1 Yes please release v2.2.7 to fix this issue.
Do you still support Cocos Studio 1.x on 3.11?
I’m waiting a response in this post:
Our game was created using Cocos Studio 1.6 and we need a confirmation to upgrade the engine.
browse to “arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/”
above link included in google email, on last paragraph:
People using OpenSSL version 1.0.2 should upgrade to 1.0.2f, while those still using version 1.0.1 should install 1.0.1r. Thursday’s OpenSSL advisory also reminded users that support for version 1.0.1 will end at the end of this year, after which no security fixes will be available. Support for versions 0.9.8 and 1.0.0 ended in December.
should cocos2d-x libcurl upgraded to 1.0.2?
@patriciog I think you just need to replace libcurl or OpenSSL.
@leledumbo549 I think we should update to v1.0.2f.
I can’t find the warning in my Google Play Developer console.
Sure, I got that email too but I can’t see
the warning anywhere in the console.
Then…
Let me know if you need more info about we are using.
Best and Thanks!
OpenSSL, it is used by libcurl.
I think yes, because we don’t have to upgrade libcurl.
Yep, because libcurl uses OpenSSL.
Hello @zhangxm , we have many games in Cocos2dx 2.2.6 and some games in Cocos2dx 3.8.1 , now i got warning in all cocos2dx 2.2.6 games but not in 3.8.1 games, So what is the best solution to solve this issue ? , Somehow we are thinking to migrate latest version of cocos2dx in all games .
2.2.7 pleeeeeease…
You know you can compile libcurl without ssl
./configure --without-ssl
https://curl.haxx.se/docs/install.html
@Meir_yanovich Yep, libcurl can be compiled without ssl, but developers ask for the feature for libcurl.
@maklaus Yep, i think we need to release v2.2.7 or just give a libcurl for v2.x then you can just replace the libcurl.
@zhangxm
keep 2 versions of curl in the external\curl\prebuild
leave to the developer the option to chose in console script or something .
Sounds a good idea. I think we can do like this in future, may be v3.12.
Hi @zhangxm:
We have only Windows machines and README of cocos2d-x 3rd party libs says it:
Note:
We use MacOSX to build all the static libraries for iOS, Android, Mac and Tizen.
We use Ubuntu to build all the static libraries for Linux.
Windows is not supported yet
Other configuration were not tested. Compiling the Android binaries from a Linux or Windows machine were not tested, so we don’t know if it works or not.
So… How can we build curl? I see the folder frameworks\js-bindings\cocos2d-x\external\curl\prebuilt\android
but I don’t know how generate this libraries.
Could someone with cocos2d-js 3.6.1 help me, please?
Thanks in advance!
Was wondering what that warning was about! My app doesn’t even connect to the internet
I think for many people it will be a bit difficult to upgrade to the latest version of cocos2d-x in order to solve this. Can we remove OpenSSL from the build script in older versions?
hello zhangxm
my project v2.2.2 i replace libcurl.a in 2014 but same problem again … i need new libcurl.a , how can i get new libcurl.a ?
have any download place new prebuilt libs for v2 down ?