opentok-Android的SDK-2.3.1和OpenSSL漏洞问题 [英] opentok-android-sdk-2.3.1 and OpenSSL vulnerability issue
问题描述
我对谷歌Play商店的应用程序。最近我有一个邮件进行:
谷歌播放60天的期限来解决漏洞的OpenSSL
据指出,我使用OpenSSL版本,它很容易受到一些问题。不过,我没有直接使用OpenSSL。我使用OpenTok库视频聊天功能,内部使用OpenSSL的。我目前使用openTok SDK版本2.3.1。但根据该链接 HTTP:// WWW .tokbox.com /博客/移动的SDK-2-2-1-决心-的OpenSSL漏洞/ 的所有安全漏洞的OpenSSL从SDK 2.2.1版本开始得到解决。 (我目前使用2.3.1,2.2.1它来到后必须更新版本)
我曾经在我的Android应用程序(APK文件)下面的命令:
$解压-p YourApp.apk |串| grep的OpenSSL的
我得到了下面的日志:
为OpenSSL
GmsCore_OpenSSL
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::写(
OpenSSL的CMAC方法
%S(%D):OpenSSL的内部错误,断言失败:%s的
OpenSSL的PKCS#3 DH法
OpenSSL的DH方法
OpenSSL的DSA方法
OpenSSL的EC算法
OpenSSL的ECDH方法
OpenSSL的ECDSA方法
OpenSSL的HMAC方法
你需要阅读OpenSSL的FAQ,http://www.openssl.org/support/faq.html
OpenSSL的RSA方法
OpenSSL的1.0.1e 2013年2月11日
OpenSSL的默认用户界面
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::写(
OpenSSL的CMAC方法
%S(%D):OpenSSL的内部错误,断言失败:%s的
OpenSSL的PKCS#3 DH法
OpenSSL的DH方法
OpenSSL的DSA方法
OpenSSL的EC算法
OpenSSL的ECDH方法
OpenSSL的ECDSA方法
OpenSSL的HMAC方法
你需要阅读OpenSSL的FAQ,http://www.openssl.org/support/faq.html
OpenSSL的RSA方法
OpenSSL的1.0.1e 2013年2月11日
OpenSSL的默认用户界面
从上面的日志,我得到了我目前的apk,OpenTok是使用OpenSSL的OpenSSL 1.0.1e确认。
因此,我有更新OpenTok库附带最新版本opentok-Android的SDK-2.5.0
。整合/更新到新库后,我执行下面的命令:
$解压-p YourApp.apk |串| grep的OpenSSL的
下面是对APK日志与更新OpenTok库:
为OpenSSL
GmsCore_OpenSSL
OpenSSL的EC算法
OpenSSL的HMAC方法
OpenSSL的RSA方法
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::写(
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,
OpenSSL的EC算法
OpenSSL的HMAC方法
OpenSSL的RSA方法
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::写(
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,
在这里,我们没有看到在获得日志的OpenSSL的任何版本。
所以我的问题是:
- 这是否意味着现在,如果我在谷歌Play更新这一新的APK
存储,应用程序是否可以接受? - 有没有一种方法来检查,如果我的OpenSSL的版本仍然是脆弱的
问题(如从谷歌播放邮件提到的)? - 有没有在我的APK正在使用的方式来获得的OpenSSL的版本
(虽然,$解压-p YourApp.apk |字符串| grep的OpenSSL的,是不是
能够列出的OpenSSL的版本)
请注意:
我已经通过这个谷歌播放OpenSSL的警告信息后,所有的解决方案了只要有,但我没能获得OpenSSL的版本。
这方面的消息应是真正有用的。
先谢谢了。
这是否意味着现在,如果我在谷歌Play商店更新这一新的APK,应用程序是否可以接受?
块引用>大概也许吧。谷歌使用向警方OpenSSL的脚本是pretty哑巴。他们旗的OpenSSL的版本号,而不是使用脆弱的功能。因为没有版本信息,该脚本可能不会触发它认为是一个坏的版本。
有没有一种方法来检查,如果我的OpenSSL的版本仍然是脆弱的问题(如从谷歌播放邮件提到的)?
块引用>是,使用
字符串
程序来转储OpenSSL的字符串。
有没有在我的APK正在使用的方式来获得的OpenSSL的版本(虽然,$解压-p YourApp.apk |字符串| grep的OpenSSL的,是不是能够列出的OpenSSL的版本)
块引用>我相信你需要检查这里的乡亲OpenTok。它看起来像OpenTok切换到 BoringSSL 在的版本2.4.0 。 BoringSSL OpenSSL的是谷歌的叉。
I have an app on Google play store. Recently i got a mail subjected:
Google Play 60-day deadline for resolving OpenSSL vulnerabilities
It states that i'm using a version of OpenSSL, which is vulnerable to some issues. However, i'm not using OpenSSL directly. I'm using OpenTok library for Video chatting feature, which internally uses OpenSSL. I'm currently using openTok SDK version 2.3.1. But according to this link http://www.tokbox.com/blog/mobile-sdks-2-2-1-resolve-openssl-vulnerability/ all OpenSSL vulnerabilities were solved from SDK version 2.2.1 onwards. (I'm currently using 2.3.1, which came must later after 2.2.1)
I used the below command on my android application (APK file):
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
I got the below logs:
"OpenSSL" GmsCore_OpenSSL OpenSSLAdapter::OnCloseEvent( OpenSSLAdapter::Error( OpenSSLAdapter::OnConnectEvent Failed to create OpenSSLCertificate from PEM string. OpenSSLStreamAdapter::Error( OpenSSLStreamAdapter::OnEvent SE_OPEN OpenSSLStreamAdapter::OnEvent OpenSSLStreamAdapter::OnEvent(SE_CLOSE, OpenSSLStreamAdapter::Read( OpenSSLStreamAdapter::Write( OpenSSL CMAC method %s(%d): OpenSSL internal error, assertion failed: %s OpenSSL PKCS#3 DH method OpenSSL DH Method OpenSSL DSA method OpenSSL EC algorithm OpenSSL ECDH method OpenSSL ECDSA method OpenSSL HMAC method You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html OpenSSL RSA method OpenSSL 1.0.1e 11 Feb 2013 OpenSSL default user interface OpenSSLAdapter::OnCloseEvent( OpenSSLAdapter::Error( OpenSSLAdapter::OnConnectEvent Failed to create OpenSSLCertificate from PEM string. OpenSSLStreamAdapter::Error( OpenSSLStreamAdapter::OnEvent SE_OPEN OpenSSLStreamAdapter::OnEvent OpenSSLStreamAdapter::OnEvent(SE_CLOSE, OpenSSLStreamAdapter::Read( OpenSSLStreamAdapter::Write( OpenSSL CMAC method %s(%d): OpenSSL internal error, assertion failed: %s OpenSSL PKCS#3 DH method OpenSSL DH Method OpenSSL DSA method OpenSSL EC algorithm OpenSSL ECDH method OpenSSL ECDSA method OpenSSL HMAC method You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html OpenSSL RSA method OpenSSL 1.0.1e 11 Feb 2013 OpenSSL default user interface
From the above logs i get a confirmation that in my current apk, OpenTok is using OpenSSL OpenSSL 1.0.1e.
Hence i have update the OpenTok library with the latest version which comes with
opentok-android-sdk-2.5.0
. After integrating/updating to the new library, i execute the below command:$ unzip -p YourApp.apk | strings | grep "OpenSSL"
Below are the logs for the APK with update OpenTok library:
"OpenSSL" GmsCore_OpenSSL OpenSSL EC algorithm OpenSSL HMAC method OpenSSL RSA method OpenSSLAdapter::Error( OpenSSLAdapter::OnCloseEvent( OpenSSLAdapter::OnConnectEvent Failed to create OpenSSLCertificate from PEM string. OpenSSLStreamAdapter::Error( OpenSSLStreamAdapter::Write( OpenSSLStreamAdapter::Read( OpenSSLStreamAdapter::OnEvent SE_OPEN OpenSSLStreamAdapter::OnEvent OpenSSLStreamAdapter::OnEvent(SE_CLOSE, OpenSSL EC algorithm OpenSSL HMAC method OpenSSL RSA method OpenSSLAdapter::Error( OpenSSLAdapter::OnCloseEvent( OpenSSLAdapter::OnConnectEvent Failed to create OpenSSLCertificate from PEM string. OpenSSLStreamAdapter::Error( OpenSSLStreamAdapter::Write( OpenSSLStreamAdapter::Read( OpenSSLStreamAdapter::OnEvent SE_OPEN OpenSSLStreamAdapter::OnEvent OpenSSLStreamAdapter::OnEvent(SE_CLOSE,
Here, we do not see any version of OpenSSL in the obtained logs.
So my questions are:
- Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?
- Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?
- Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)
Note:
I have gone through this Google Play OpenSSL warning message post and all the solutions provided there but i'm not able to get the OpenSSL version.
Any information on this shall be really helpful. Thanks in advance.
解决方案Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?
Probably to Maybe. The script Google uses to police OpenSSL is pretty dumb. They flag OpenSSL for versions numbers, and not use of vulnerable functions. Since there's no version information, the script may not trigger on what it believes to be a bad version.
Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?
Yes, use the
strings
program to dump the OpenSSL strings.
Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)
I believe you need to check with the OpenTok folks here. It looks like OpenTok switched to BoringSSL at version 2.4.0. BoringSSL is Google's fork of OpenSSL.
这篇关于opentok-Android的SDK-2.3.1和OpenSSL漏洞问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!