Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-42115

Update openssl on build machines to newer version (Ubuntu)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Done
    • Affects Version/s: 5.4.0 Beta
    • Fix Version/s: 5.4.0 RC
    • Component/s: Packaging & Installer
    • Labels:
      None
    • Environment:
      Binary packages for Linux (both 32 bit and 64 bit)

      Description

      The current build machines for Linux are based on Ubuntu 11.10, which only features openssl 1.0.0e. The effect is that support for TLSv1.1, TLSv1.2, as well as the nextprotoneg extension is not compiled into Qt5Network.

      This is visible to the user in that:

      • QSslSocket cannot make use of TLSv1.1, TLSv1.2.
      • calling either QSslSocket::setProtocol(QSsl::TlsV1_1) or QSslSocket::setProtocol(QSsl::TlsV1_2) prevents the openssl socket to open
      • QSslConfiguration::[set]AllowedNextProtocols, QSslConfiguration::nextNegotiatedProtocol, nextProtocolNegotiationStatus are non-functional
      • The SPDY protocol is therefore not supported

      I suggest we upgrade the build machines to use a newer openssl version. The effect however will be that, if the runtime version of openssl is too old (older than 1.0.1), using qsslsocket will print qWarnings:

      QSslSocket: cannot resolve SSLv2_client_method
      QSslSocket: cannot resolve TLSv1_1_client_method
      QSslSocket: cannot resolve TLSv1_2_client_method
      QSslSocket: cannot resolve SSLv2_server_method
      QSslSocket: cannot resolve TLSv1_1_server_method
      QSslSocket: cannot resolve TLSv1_2_server_method
      QSslSocket: cannot resolve SSL_select_next_proto
      QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb
      QSslSocket: cannot resolve SSL_get0_next_proto_negotiated
      

      This is IMO acceptable.

      To compile Qt with a custom openssl you need to set two environment variables, e.g.

      export CPATH=/usr/local/openssl/include
      export LIBRARY_PATH=/usr/local/openssl/lib
      ./configure [...]

      (passing -I, -L to configure does taint the resulting SDK with the build paths)

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              releaseteam Qt Release Team
              Reporter:
              kkohne Kai Köhne
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes