Crosswalk 10.39.235.15 and OpenSSL warning


#1

Hi,
we are using currently Crosswalk 10.39.235.15 in our ionic app (uploaded to the Play Store on 20.03.2015).

Today we received following warning email from the Google Play team:
"We wanted to let youknow that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users.
The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za.
To confirm your OpenSSL version, you can do a grep via: $ unzip -p YourApp.apk | strings | grep “OpenSSL”

But according to the release notes (https://crosswalk-project.org/blog/crosswalk-10-stable.html) this Crosswalk version fixed the OpenSSL issue stated above !

Anybody else having this problem?

Best,
famibo


#2

Hmm, haven’t heard anything from the crosswalk people. But just to be sure, you can update your version of crosswalk from the cli with this command

$ ionic browser upgrade

This should get you version 12.x


#3

Yes, I think it’s the only option.

When I run the command unzip -p YourApp.apk | strings | grep "OpenSSL"
I can’t see any OpenSSL version number - very strange !?

(Cannot find system OpenSSLEngine class:
/Cannot find system OpenSSLRSAPrivateKey class:
;Engine is not an OpenSSLEngine instance, its class name is:
9Exception while trying to retrieve OpenSSLEngine object:
+No getEngine() method on OpenSSLKey member:
0No getPkeyContext() method on OpenSSLKey member:
GPrivate key is not an OpenSSLRSAPrivateKey instance, its class name is:
getOpenSSLEngineForPrivateKey
getOpenSSLHandleForPrivateKey
getOpenSSLKey
getOpenSSLKey() returned null
getOpenSSLKeyForPrivateKey
3org.apache.harmony.xnet.provider.jsse.OpenSSLEngine
:org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey
OpenSSL SYSCALL error, earliest error code in error queue:
Unknown OpenSSL error
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,
OpenSSLStreamAdapter::Read(
virtual int net::SSLClientSocketOpenSSL::GetTLSUniqueChannelBinding(std::string*)
OpenSSL