OpenSSL 1.0 deprecation

vige · 12 July 2021 07:48

When we released Sailfish OS 4.0.1 (Koli), we upgraded our OpenSSL libraries to version 1.1. At the same time we deprecated OpenSSL 1.0 libraries. Like mentioned in the community IRC meeting at the time, the old libraries will be removed from Sailfish OS - which means that all apps which still link against them will stop working on the new versions of Sailfish OS without the library.

While we haven’t yet decided which exact Sailfish OS release will remove the old libraries, it is quite clear that the time is approaching. Therefore we would like to ask those app developers who still use the old libraries to move their apps to the new libraries. It should be also noted, that the security vulnerabilities in the OpenSSL 1.0 libraries are not getting fixed, so using them might cause your app to be vulnerable.

attah · 12 July 2021 08:10

You probably already thought of this… but:
Wouldn’t it be good if you emailed everyone who has an app in store that does this still?

vige · 12 July 2021 08:43

Yes and yes I’ll do just that.

peterleinchen · 12 July 2021 11:26

Thanks for announcing this!

slava · 12 July 2021 15:11

Ville, please publish the list of apps in the Jolla Store which are linked against libcrypto.so.10. Users should be prepared for those apps to silently disappear after the OS upgrade.

vige · 13 July 2021 03:57

There’s still plenty of time for the app developers to update their apps, so publishing such a list would be premature. Let’s consider that again when we are closer to the release of the version which doesn’t have the old libraries.

nephros · 13 July 2021 15:22

To find endangered binaries on your own system(s), you can run something like this:

#!/usr/bin/env bash

i=0
spinner="/|\\-/|\\-"

printf "scanning the gibson... "
for b in $( find /usr/*bin/* /usr/lib*/* /usr/share/* -type f -executable 2>/dev/null )
do
  # test for linkage
  if [[ $( ldd ${b} 2>/dev/null | grep -c -e 'libcrypto\.so\.1\.0' -e 'libssl\.so\.1\.0' ) -ne 0 ]] ; then
    printf "\n\tCheck: %s from package %s links against openssl 1.0 \n" ${b} $(rpm -qf ${b})
    continue
  else
    printf "\010" # spinner again
  fi
  # draw an unnecessary spinner
  printf "%s" "${spinner:$i:1}"
  i=$((i+1))
  if [[ $i -gt 7 ]]; then i=0 ; fi
done

Dakon · 14 July 2021 16:48

ldd is printing all required libraries recursive, so this could actually print out things that are only dragged in by a shared library. While this is probably mostly wanted here: an alternative would be to use something like

objdump -p "${b}" | egrep 'NEEDED.*lib(crypto|ssl)\.so\.1\.0'

vige · 20 September 2021 09:20

Bumping this topic a bit:

Our next release (4.3.0) will no longer ship OpenSSL 1.0 libraries. So, if you are a maintainer of an app which uses OpenSSL 1.0 libraries, now is the time to upgrade to OpenSSL 1.1.

scharelc · 22 September 2021 10:46

Apps using QNetworkAccessManager, XmlHttpRequest or other framework functions won’t be affected by this, right?

vige · 22 September 2021 16:58

Right, you are only affected if you link to openssl libraries directly.