I have updated ssl to v1.0.1e. You guys can download them here.
I will update https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin soon.
Could somebody help to checkout if it can pass through google play.
Thanks.
1 Like
Some developer said, v1.0.1h is needed.
So i had to update to v1.0.1h.
It is done. https://github.com/minggo/libcurl-build/tree/master/prebuild-with-ssl is updated to v1.0.1h.
And i will post it to https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin after it is confirmed.
https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin is updated too.
But you can just download zip files of updated curl here for convenience.
Anyone who can help to verify if it can pass through google play is appreciated.
2 Likes
Thanks for your attention.
I will apply this update and verify if it can pass through Google Play ASAP.
But I think this problem can occur on all platforms. Why only have update for Android?
And how to rebuild this lib?
Thanks
@zhangxm I uploaded an APK with your precompiled libs and my update went through fine.
*Btw: You can verify the version of openSSL your app is running by using BlueBoxâs Heartbleed Scanner. Ignore the âPassedâ indicator, as this new vulnerability isnât Heartbleed â weâre just looking at the version number here: compare the version of your ssl before and after you replace it with @zhangxm 's static lib. *
@forget721
We will update iOS lib today or tomorrow.
Now iOS and Android is in different repo. And because curl building is complex, we will try to unify them and add a link here.
@Jgod
Thanks for your feedback.
I dont know exactly how to upgrade the fix. I am using cocos2d-x-2.2.3, now to update this issue, what folder i will copy and replace to cocos2d-x-2.2.3?
Interestingly, I used the suggested app to test mine and all of them passed even though they are listed as using OpenSSL 1.0.0 (it did say âheartbeats: offâ). I wonder if Google just saw that it was using an old version and flagged it regardless of whether it was actually an issue.
I edited my post to make it more clear, but this new vulnerability Google flags as dangerous isnât Heartbleed. Weâre just using that app to get the version number of SSL to verify that a high enough version (that fixes the issue) was bundled with the app.
tldr: ignore the âpassedâ flag.
Which files should I update?
We just received this warning for 4 of our android apps running cocos2d-x 2.2.1. However we have replaced the curl folder with the new .a files as in here http://cocos2d-x.org/news/286 . However the Heartbleed scanner still says 1.0.0a version (except for one app saying its 1.0.1h).
Had tried cleaning/deleting files and rebuilding multiple times in android but the remaining 2 apps still shows 1.0.0a.
Any help?
I am facing the same issue as @Smartgames.
Get the following result:
OpenSSLDie
DH_OpenSSL
DSA_OpenSSL
ECDH_OpenSSL
ECDSA_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
UI_OpenSSL
could not parse PKCS12 file, check password, OpenSSL error %s
OpenSSL/%lx.%lx.%lx%s
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL 1.0.0a 1 Jun 2010
OpenSSL default
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL âdlfcnâ shared library method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL default user interface
AES part of OpenSSL 1.0.0a 1 Jun 2010
ASN.1 part of OpenSSL 1.0.0a 1 Jun 2010
Blowfish part of OpenSSL 1.0.0a 1 Jun 2010
Big Number part of OpenSSL 1.0.0a 1 Jun 2010
CONF_def part of OpenSSL 1.0.0a 1 Jun 2010
CONF part of OpenSSL 1.0.0a 1 Jun 2010
DES part of OpenSSL 1.0.0a 1 Jun 2010
libdes part of OpenSSL 1.0.0a 1 Jun 2010
Diffie-Hellman part of OpenSSL 1.0.0a 1 Jun 2010
DSA part of OpenSSL 1.0.0a 1 Jun 2010
^ECDH part of OpenSSL 1.0.0a 1 Jun 2010
ECDSA part of OpenSSL 1.0.0a 1 Jun 2010
EVP part of OpenSSL 1.0.0a 1 Jun 2010
lhash part of OpenSSL 1.0.0a 1 Jun 2010
MD4 part of OpenSSL 1.0.0a 1 Jun 2010
MD5 part of OpenSSL 1.0.0a 1 Jun 2010
PEM part of OpenSSL 1.0.0a 1 Jun 2010
RAND part of OpenSSL 1.0.0a 1 Jun 2010
RC2 part of OpenSSL 1.0.0a 1 Jun 2010
RC4 part of OpenSSL 1.0.0a 1 Jun 2010
RIPE-MD160 part of OpenSSL 1.0.0a 1 Jun 2010
RSA part of OpenSSL 1.0.0a 1 Jun 2010
SHA1 part of OpenSSL 1.0.0a 1 Jun 2010
SHA-256 part of OpenSSL 1.0.0a 1 Jun 2010
SHA-512 part of OpenSSL 1.0.0a 1 Jun 2010
Stack part of OpenSSL 1.0.0a 1 Jun 2010
TXT_DB part of OpenSSL 1.0.0a 1 Jun 2010
X.509 part of OpenSSL 1.0.0a 1 Jun 2010
SSLv2 part of OpenSSL 1.0.0a 1 Jun 2010
SSLv3 part of OpenSSL 1.0.0a 1 Jun 2010
TLSv1 part of OpenSSL 1.0.0a 1 Jun 2010
Hi zhangxm,
I also tried all the things you mentioned.
- Replaced the curl file.
- Deleted/Added files and rebuilt.
Uploaded the apk onto the google play store Account. But still it is showing the same error. Please help.
Hi guys,
We updated openssl to v1.0.1j for libcurl in v3.4. You can find it in latest version of 3rd party bin.
As you can see, now there are 3 libs in curl folder.
If the libcurl in v3.4 is working for you, please let me know.
Thanks.
Hi ,
I have replaced my curl from the mentioned link 
Also I replaced the new libs added in the curl.Now I have 3 libs in curl folder ,rebuilt the project but still getting the same SSL Error.
Here I am attaching the snapshot:
it works to me. mine is quick-cocos2dx 2.2.1 and first get warn from google play and i update the opelssl to v1.0.1h but it still get the warn. yesterday i get the v1.0.1j and pass the google play. thx