OpenSSL 1.0 deprecation

When we released Sailfish OS 4.0.1 (Koli), we upgraded our OpenSSL libraries to version 1.1. At the same time we deprecated OpenSSL 1.0 libraries. Like mentioned in the community IRC meeting at the time, the old libraries will be removed from Sailfish OS - which means that all apps which still link against them will stop working on the new versions of Sailfish OS without the library.

While we haven’t yet decided which exact Sailfish OS release will remove the old libraries, it is quite clear that the time is approaching. Therefore we would like to ask those app developers who still use the old libraries to move their apps to the new libraries. It should be also noted, that the security vulnerabilities in the OpenSSL 1.0 libraries are not getting fixed, so using them might cause your app to be vulnerable.

4 Likes

You probably already thought of this… but:
Wouldn’t it be good if you emailed everyone who has an app in store that does this still?

3 Likes

Yes and yes :slight_smile: I’ll do just that.

2 Likes

Thanks for announcing this!

Ville, please publish the list of apps in the Jolla Store which are linked against libcrypto.so.10. Users should be prepared for those apps to silently disappear after the OS upgrade.

2 Likes

There’s still plenty of time for the app developers to update their apps, so publishing such a list would be premature. Let’s consider that again when we are closer to the release of the version which doesn’t have the old libraries.

To find endangered binaries on your own system(s), you can run something like this:

#!/usr/bin/env bash

i=0
spinner="/|\\-/|\\-"

printf "scanning the gibson... "
for b in $( find /usr/*bin/* /usr/lib*/* /usr/share/* -type f -executable 2>/dev/null )
do
  # test for linkage
  if [[ $( ldd ${b} 2>/dev/null | grep -c -e 'libcrypto\.so\.1\.0' -e 'libssl\.so\.1\.0' ) -ne 0 ]] ; then
    printf "\n\tCheck: %s from package %s links against openssl 1.0 \n" ${b} $(rpm -qf ${b})
    continue
  else
    printf "\010" # spinner again
  fi
  # draw an unnecessary spinner
  printf "%s" "${spinner:$i:1}"
  i=$((i+1))
  if [[ $i -gt 7 ]]; then i=0 ; fi
done
2 Likes

ldd is printing all required libraries recursive, so this could actually print out things that are only dragged in by a shared library. While this is probably mostly wanted here: an alternative would be to use something like

objdump -p "${b}" | egrep 'NEEDED.*lib(crypto|ssl)\.so\.1\.0'
1 Like