OpenSSL problem again

zhangxm · April 1, 2016, 1:50am

@ricardo v3.11 already fix it?

I have created an issue: https://github.com/cocos2d/cocos2d-x/issues/15359.

gejza · April 1, 2016, 2:11am

If you want to check it:
$ unzip -p YourApp.apk | strings | grep “OpenSSL”

Or like this, it’s nice:

#!/bin/bash

# USAGE: testopenssl.sh APK_File

sslworkdir="ssl_work_dir"
if [ ! -d $sslworkdir ]; then
  mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
    echo "Found OpenSSL versions"
    printf "%s\n" "${opensslarr[@]}"
    heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
    #Stackoverflow syntax highlight fix closing 'block comment' */
    if [ ${#heartbeatarr[@]} -gt 0 ]; then
        echo "Files that contains heartbeat methods:"
    printf "%s\n" "${heartbeatarr[@]}"
    else
        echo "No libraries contain heartbeat methods"
    fi
else
    echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir

Thanks devs!

ricardo · April 1, 2016, 2:58am

@zhangxm I think we are using “1.0.1l” for v3.11, and we should use 1.0.1r or higher.
so, it is not fixed on v3.11.

github.com

cocos2d/cocos2d-x-3rd-party-libs-src/blob/v3/contrib/src/openssl/rules.mak#L2


# OPENSSL
OPENSSL_VERSION := 1.1.0c
OPENSSL_URL := https://www.openssl.org/source/openssl-$(OPENSSL_VERSION).tar.gz


OPENSSL_EXTRA_CONFIG_1=no-shared no-unit-test
OPENSSL_EXTRA_CONFIG_2=


ifdef HAVE_MACOSX
ifeq ($(MY_TARGET_ARCH),x86_64)
OPENSSL_CONFIG_VARS=darwin64-x86_64-cc
OPENSSL_ARCH=-m64
endif

zhangxm · April 1, 2016, 6:02am

@ricardo Got it. I think we can upgrade to latest version if possible.

kyle_bong2 · April 1, 2016, 6:37am

+1 Yes please release v2.2.7 to fix this issue.

patriciog · April 1, 2016, 8:06am

Hi @ricardo and @zhangxm:

Do you still support Cocos Studio 1.x on 3.11?

I’m waiting a response in this post:

Our game was created using Cocos Studio 1.6 and we need a confirmation to upgrade the engine.

leledumbo549 · April 1, 2016, 8:11am

browse to “arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/”
above link included in google email, on last paragraph:

People using OpenSSL version 1.0.2 should upgrade to 1.0.2f, while those still using version 1.0.1 should install 1.0.1r. Thursday’s OpenSSL advisory also reminded users that support for version 1.0.1 will end at the end of this year, after which no security fixes will be available. Support for versions 0.9.8 and 1.0.0 ended in December.

should cocos2d-x libcurl upgraded to 1.0.2?

zhangxm · April 1, 2016, 8:21am

@patriciog I think you just need to replace libcurl or OpenSSL.

@leledumbo549 I think we should update to v1.0.2f.

festival · April 1, 2016, 8:22am

I can’t find the warning in my Google Play Developer console.
Sure, I got that email too but I can’t see
the warning anywhere in the console.

patriciog · April 1, 2016, 9:08am

Then…

What should be replace, libcurl or OpenSSL?
Both of them?
Are they compatible with Cocos2d-js 3.6.1?
We are using AssetManager. Will it be affected?

Let me know if you need more info about we are using.

Best and Thanks!

zhangxm · April 1, 2016, 10:38am

OpenSSL, it is used by libcurl.

I think yes, because we don’t have to upgrade libcurl.

Yep, because libcurl uses OpenSSL.

arthisoft · April 1, 2016, 11:42am

Hello @zhangxm , we have many games in Cocos2dx 2.2.6 and some games in Cocos2dx 3.8.1 , now i got warning in all cocos2dx 2.2.6 games but not in 3.8.1 games, So what is the best solution to solve this issue ? , Somehow we are thinking to migrate latest version of cocos2dx in all games .

maklaus · April 1, 2016, 12:02pm

2.2.7 pleeeeeease…

Meir_yanovich · April 1, 2016, 12:17pm

You know you can compile libcurl without ssl
./configure --without-ssl
https://curl.haxx.se/docs/install.html

zhangxm · April 1, 2016, 2:28pm

@Meir_yanovich Yep, libcurl can be compiled without ssl, but developers ask for the feature for libcurl.

@maklaus Yep, i think we need to release v2.2.7 or just give a libcurl for v2.x then you can just replace the libcurl.

Meir_yanovich · April 1, 2016, 3:00pm

@zhangxm
keep 2 versions of curl in the external\curl\prebuild
leave to the developer the option to chose in console script or something .

zhangxm · April 1, 2016, 3:13pm

Sounds a good idea. I think we can do like this in future, may be v3.12.

patriciog · April 1, 2016, 8:39pm

Hi @zhangxm:

We have only Windows machines and README of cocos2d-x 3rd party libs says it:

Note:

We use MacOSX to build all the static libraries for iOS, Android, Mac and Tizen.

We use Ubuntu to build all the static libraries for Linux.

Windows is not supported yet

Other configuration were not tested. Compiling the Android binaries from a Linux or Windows machine were not tested, so we don’t know if it works or not.

So… How can we build curl? I see the folder frameworks\js-bindings\cocos2d-x\external\curl\prebuilt\android but I don’t know how generate this libraries.

Could someone with cocos2d-js 3.6.1 help me, please?

Thanks in advance!

nialldeasy · April 2, 2016, 12:37am

Was wondering what that warning was about! My app doesn’t even connect to the internet

I think for many people it will be a bit difficult to upgrade to the latest version of cocos2d-x in order to solve this. Can we remove OpenSSL from the build script in older versions?

zet · April 2, 2016, 2:38am

hello zhangxm
my project v2.2.2 i replace libcurl.a in 2014 but same problem again … i need new libcurl.a , how can i get new libcurl.a ?

have any download place new prebuilt libs for v2 down ?