4

I'm developing a Qt-based app for Android, which uses QSslSocket to download data. Due to Android's moving away from OpenSSL to BoringSSL since Marshmallow Qt programs, relying on the OpenSSL library, produce the following warnings on Android 6+:

 W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve CRYPTO_free W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve EVP_CipherFinal W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve EVP_rc2_cbc W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve SSLv2_client_method W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve SSLv2_server_method W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve OPENSSL_add_all_algorithms_noconf W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve OPENSSL_add_all_algorithms_conf W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot resolve EC_get_builtin_curves W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot call unresolved function OPENSSL_add_all_algorithms_conf W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot call unresolved function EC_get_builtin_curves W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot call unresolved function EC_get_builtin_curves W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled W libtestopenssl.so: (null):0 ((null)): qt.network.ssl: QSslSocket: cannot call unresolved function CRYPTO_free

However, the socket itself successfully connects to a remote host and reads data from there without any visible issues. That makes me wonder whether I need to build the OpenSSL library myself and package it or it is fine to use BoringSSL provided by the platform.

I've also come to notice that the app on Android versions below 6 tends to use the system version of OpenSSL even if I provide my own one. I tried adding the built libssl.so and libcrypto.so (renamed from libssl.so.1.0.0 and libcrypto.so.1.0.0) with ANDROID_EXTRA_LIBS (not sure whether LIBS+= needs to be used too) and even statically linking libssl.a and libcrypto.a. Still QSslSocket::sslLibraryVersionString() returns the version available on the platform.

My questions are:

  1. Do I need to build the OpenSSL library myself and package it or it is fine to use the library provided by the platform?
  2. If I do, how to make Android recognize libssl.so and libcrypto.so?
Improve this question
3
  • 1
    What are your questions? Commented Feb 24, 2017 at 21:58
  • First of all, do I need to build the OpenSSL library myself and package it or it is fine to use the library provided by the platform? If I do, how to make Android recognize libssl.so and libcrypto.so? Commented Feb 25, 2017 at 6:25
  • You should build them and ship with application. Older Android uses openssl 0.9 that is incompatible with 1.0. Unfortunately, android is not that easy, and even if you ship openssl, it will try to start platform one first. I have the same problem right now, and from what i think the only resolution would be to build own QT with statically linked openssl. Commented Mar 15, 2017 at 14:22

1 Answer 1

Reset to default
2

1. Do I need to build the OpenSSL library myself and package it or it is fine to use the library provided by the platform?

  • Yes - you should build OpenSSL and package it.

https://developer.android.com/about/versions/nougat/android-7.0-changes.html

Starting in Android 7.0, the system prevents apps from dynamically linking against non-NDK libraries, which may cause your app to crash. This change in behavior aims to create a consistent app experience across platform updates and different devices.

  • Using the installed BoringSSL might work for now, but it is recommended that the app brings it's own OpenSSL library.
  • Otherwise your user will see a warning message pop up, and the app might not work on later Android versions.

In order to reduce the impact that this restriction may have on currently released apps, a set of libraries that see significant use—such as libandroid_runtime.so, libcutils.so, libcrypto.so, and libssl.so—are temporarily accessible on Android 7.0 (API level 24) for apps targeting API level 23 or lower. If your app loads one of these libraries, logcat generates a warning and a toast appears on the target device to notify you. If you see these warnings, you should update your app to either include its own copy of those libraries or only use the public NDK APIs. Future releases of the Android platform may restrict the use of private libraries altogether and cause your app to crash.

2. If I do, how to make Android recognize libssl.so and libcrypto.so?

  • I succeded mostly following the steps outlined here: http://doc.qt.io/qt-5/opensslsupport.html

  • But make sure you got the right version: openssl-1.1.0f.tar.gz seems to be incompatible with Qt 5.9 and my app didn't load the libs.

  • compile for desktop and call QSslSocket::sslLibraryVersionString() to see which OpenSSL version your Qt uses. For me it showed "OpenSSL 1.0.1t 3 May 2016"
  • Tag "OpenSSL_1_0_1t" in the git repo worked for me with Qt 5.9.1
  • openssl-1.0.2l.tar.gz from openssl.org also worked with Qt 5.9.1

I used API level 19. Once I've tested with API level 23 or 25 I'll update this answer.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.