OpenSSL problem again

zhangxm · April 1, 2016, 10:38am

OpenSSL, it is used by libcurl.

I think yes, because we don’t have to upgrade libcurl.

Yep, because libcurl uses OpenSSL.

arthisoft · April 1, 2016, 11:42am

Hello @zhangxm , we have many games in Cocos2dx 2.2.6 and some games in Cocos2dx 3.8.1 , now i got warning in all cocos2dx 2.2.6 games but not in 3.8.1 games, So what is the best solution to solve this issue ? , Somehow we are thinking to migrate latest version of cocos2dx in all games .

maklaus · April 1, 2016, 12:02pm

2.2.7 pleeeeeease…

Meir_yanovich · April 1, 2016, 12:17pm

You know you can compile libcurl without ssl
./configure --without-ssl
https://curl.haxx.se/docs/install.html

zhangxm · April 1, 2016, 2:28pm

@Meir_yanovich Yep, libcurl can be compiled without ssl, but developers ask for the feature for libcurl.

@maklaus Yep, i think we need to release v2.2.7 or just give a libcurl for v2.x then you can just replace the libcurl.

Meir_yanovich · April 1, 2016, 3:00pm

@zhangxm
keep 2 versions of curl in the external\curl\prebuild
leave to the developer the option to chose in console script or something .

zhangxm · April 1, 2016, 3:13pm

Sounds a good idea. I think we can do like this in future, may be v3.12.

patriciog · April 1, 2016, 8:39pm

Hi @zhangxm:

We have only Windows machines and README of cocos2d-x 3rd party libs says it:

Note:

We use MacOSX to build all the static libraries for iOS, Android, Mac and Tizen.

We use Ubuntu to build all the static libraries for Linux.

Windows is not supported yet

Other configuration were not tested. Compiling the Android binaries from a Linux or Windows machine were not tested, so we don’t know if it works or not.

So… How can we build curl? I see the folder frameworks\js-bindings\cocos2d-x\external\curl\prebuilt\android but I don’t know how generate this libraries.

Could someone with cocos2d-js 3.6.1 help me, please?

Thanks in advance!

nialldeasy · April 2, 2016, 12:37am

Was wondering what that warning was about! My app doesn’t even connect to the internet

I think for many people it will be a bit difficult to upgrade to the latest version of cocos2d-x in order to solve this. Can we remove OpenSSL from the build script in older versions?

zet · April 2, 2016, 2:38am

hello zhangxm
my project v2.2.2 i replace libcurl.a in 2014 but same problem again … i need new libcurl.a , how can i get new libcurl.a ?

have any download place new prebuilt libs for v2 down ?

zhangxm · April 2, 2016, 8:16am

@patriciog The source code of 3rd libraries are here: https://github.com/cocos2d/cocos2d-x-3rd-party-libs-src. But we should upgrade OpenSSL.

@nialldeasy @zet I think libcurl can used no matter the version of cocos2d-x if we provide the source code and building script. So after we upgrade the 3rd-party-libs-src, then developers can use it to build libcurl. Of course, we will build a default version and put it in https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin.

gejza · April 2, 2016, 9:06am

Is there some date when will be 3.11 available? Thanks

1023400273 · April 2, 2016, 9:09am

Got the same email too:

Your app(s) listed at the end of this email utilize a version of OpenSSL that contains one or more security vulnerabilities. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.

patriciog · April 2, 2016, 9:52am

I understood you now:

Repository with 3rd party libraries (for this matter): https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin
Reporitory with tools to manage (create/update) these 3rd party libraries: https://github.com/cocos2d/cocos2d-x-3rd-party-libs-src

Then I look forward to the -bin repository upgrade.

After replace frameworks[\js-bindings]\cocos2d-x\external\curl, would we need something else to solve the issue?

Thanks @zhangxm.

festival · April 2, 2016, 12:01pm

Waiting for the new libcurl binary for Android too. Thanks for the quick work

RogueProgrammer · April 3, 2016, 1:39am

You aren’t looking at the full version; there is a letter after the numerical version #. It has version 1.01h or something like that, but it needs to be 1.01r or newer.

Woodyx · April 3, 2016, 1:50am

I’m using cocos2dx 3.8.1 too, but I don’t receive any warning emails from GG. I tried testing my APK with this command:
unzip -p Test.apk | strings | grep “OpenSSL”

Result:

I think GmsCore_OpenSSL is in Google Play Service.

Nargis · April 4, 2016, 3:56am

How to update OpenSSL in curl? Have anyone solved this problem yet?

abhinav · April 4, 2016, 6:15am

When is the schedule date of release of 3.11 version with the OpenSSL fix?

davidejones88 · April 4, 2016, 11:37am

Hi there!

Same warning here from Google. I am using 3.9, can I update/replace the bad lib WITHOUT upgrading the engine? If so, how?
That would be really neat.

Davide.