Details
-
Bug
-
Resolution: Invalid
-
P1: Critical
-
None
-
5.6.0, 5.7.0
-
None
-
Android
Description
From Android 6.0 [1] google switched to boringssl which is not quite ABI/API compatible with openssl.
For instance on Android 6.0 it's already missing symbols (CRYPTO_free) which, judging for the function name it leads to memleaks on Android 6.0.
On Android N (7.0?) is even worse, it doesn't work at all 
!!!
Personally I see the following solutions:
- ship qt with openssl bundled, as I did with Necessitas and as Google recommends [2]! This one is my favorite. The downside is that we need to update qtnetwork module every time when openssl folks screw it.
- create some scripts which will download openssl & recompile qtnetwork for user, IMHO it's the same thing, we just make the user experience worse.
- even I'm afraid to add this as a solution, because maybe someone will find it a good idea, I'll do it: use Java SSL socket from C++ (via JNI) and ditch openssl on Android. IMHO this is by far the worst solution because will slow down the speed! On the other hand it we don't need to extract the SSL certificates anymore therefore the startup will be slightly faster. Using SSLSocket java class will not be safer that using openssl! Because the developer can upgrade openssl on affected devices, but he can't update the openssl from device! Another problem is tat I still don't know if the SSLSocket java class has all the notifications that we need ...
[1] http://developer.android.com/about/versions/marshmallow/android-6.0-changes.html
[2] http://developer.android.com/preview/behavior-changes.html#ndk
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Closed
-