问题
I have an app on Google play store. Recently i got a mail subjected:
Google Play 60-day deadline for resolving OpenSSL vulnerabilities
It states that i'm using a version of OpenSSL, which is vulnerable to some issues. However, i'm not using OpenSSL directly. I'm using OpenTok library for Video chatting feature, which internally uses OpenSSL. I'm currently using openTok SDK version 2.3.1. But according to this link http://www.tokbox.com/blog/mobile-sdks-2-2-1-resolve-openssl-vulnerability/ all OpenSSL vulnerabilities were solved from SDK version 2.2.1 onwards. (I'm currently using 2.3.1, which came must later after 2.2.1)
I used the below command on my android application (APK file):
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
I got the below logs:
"OpenSSL"
GmsCore_OpenSSL
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface
From the above logs i get a confirmation that in my current apk, OpenTok is using OpenSSL OpenSSL 1.0.1e.
Hence i have update the OpenTok library with the latest version which comes with opentok-android-sdk-2.5.0
. After integrating/updating to the new library, i execute the below command:
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
Below are the logs for the APK with update OpenTok library:
"OpenSSL"
GmsCore_OpenSSL
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,
Here, we do not see any version of OpenSSL in the obtained logs.
So my questions are:
- Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?
- Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?
- Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)
Note:
I have gone through this Google Play and OpenSSL warning message post and all the solutions provided there but i'm not able to get the OpenSSL version.
Any information on this shall be really helpful. Thanks in advance.
回答1:
Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?
Probably to Maybe. The script Google uses to police OpenSSL is pretty dumb. They flag OpenSSL for versions numbers, and not use of vulnerable functions. Since there's no version information, the script may not trigger on what it believes to be a bad version.
Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?
Yes, use the strings
program to dump the OpenSSL strings.
Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)
I believe you need to check with the OpenTok folks here. It looks like OpenTok switched to BoringSSL at version 2.4.0. BoringSSL is Google's fork of OpenSSL.
来源:https://stackoverflow.com/questions/30235700/opentok-android-sdk-2-3-1-and-openssl-vulnerability-issue