opentok-Android的SDK-2.3.1和OpenSSL漏洞问题 [英] opentok-android-sdk-2.3.1 and OpenSSL vulnerability issue

查看:470
本文介绍了opentok-Android的SDK-2.3.1和OpenSSL漏洞问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我对谷歌Play商店的应用程序。最近我有一个邮件进行:

 谷歌播放60天的期限来解决漏洞的OpenSSL

据指出,我使用OpenSSL版本,它很容易受到一些问题。不过,我没有直接使用OpenSSL。我使用OpenTok库视频聊天功能,内部使用OpenSSL的。我目前使用openTok SDK版本2.3.1。但根据该链接 HTTP:// WWW .tokbox.com /博客/移动的SDK-2-2-1-决心-的OpenSSL漏洞/ 的所有安全漏洞的OpenSSL从SDK 2.2.1版本开始得到解决。 (我目前使用2.3.1,2.2.1它来到后必须更新版本)

我曾经在我的Andr​​oid应用程序(APK文件)下面的命令:

  $解压-p YourApp.apk |串| grep的OpenSSL的

我得到了下面的日志:

 为OpenSSL
GmsCore_OpenSSL
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::写(
OpenSSL的CMAC方法
%S(%D):OpenSSL的内部错误,断言失败:%s的
OpenSSL的PKCS#3 DH法
OpenSSL的DH方法
OpenSSL的DSA方法
OpenSSL的EC算法
OpenSSL的ECDH方法
OpenSSL的ECDSA方法
OpenSSL的HMAC方法
你需要阅读OpenSSL的FAQ,http://www.openssl.org/support/faq.html
OpenSSL的RSA方法
OpenSSL的1.0.1e 2013年2月11日
OpenSSL的默认用户界面
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::写(
OpenSSL的CMAC方法
%S(%D):OpenSSL的内部错误,断言失败:%s的
OpenSSL的PKCS#3 DH法
OpenSSL的DH方法
OpenSSL的DSA方法
OpenSSL的EC算法
OpenSSL的ECDH方法
OpenSSL的ECDSA方法
OpenSSL的HMAC方法
你需要阅读OpenSSL的FAQ,http://www.openssl.org/support/faq.html
OpenSSL的RSA方法
OpenSSL的1.0.1e 2013年2月11日
OpenSSL的默认用户界面

从上面的日志,我得到了我目前的apk,OpenTok是使用OpenSSL的OpenSSL 1.0.1e确认。

因此​​,我有更新OpenTok库附带最新版本opentok-Android的SDK-2.5.0 。整合/更新到新库后,我执行下面的命令:

  $解压-p YourApp.apk |串| grep的OpenSSL的

下面是对APK日志与更新OpenTok库:

 为OpenSSL
GmsCore_OpenSSL
OpenSSL的EC算法
OpenSSL的HMAC方法
OpenSSL的RSA方法
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::写(
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,
OpenSSL的EC算法
OpenSSL的HMAC方法
OpenSSL的RSA方法
OpenSSLAdapter ::错误(
OpenSSLAdapter :: OnCloseEvent(
OpenSSLAdapter :: OnConnectEvent
无法从PEM字符串创建OpenSSLCertificate。
OpenSSLStreamAdapter ::错误(
OpenSSLStreamAdapter ::写(
OpenSSLStreamAdapter ::阅读(
OpenSSLStreamAdapter ::的OnEvent SE_OPEN
OpenSSLStreamAdapter ::的OnEvent
OpenSSLStreamAdapter ::的OnEvent(SE_CLOSE,

在这里,我们没有看到在获得日志的OpenSSL的任何版本。

所以我的问题是:


  • 这是否意味着现在,如果我在谷歌Play更新这一新的APK
    存储,应用程序是否可以接受?

  • 有没有一种方法来检查,如果我的OpenSSL的版本仍然是脆弱的
    问题(如从谷歌播放邮件提到的)?

  • 有没有在我的APK正在使用的方式来获得的OpenSSL的版本
    (虽然,$解压-p YourApp.apk |字符串| grep的OpenSSL的,是不是
    能够列出的OpenSSL的版本)

请注意:

我已经通过这个谷歌播放OpenSSL的警告信息后,所有的解决方案了只要有,但我没能获得OpenSSL的版本。

这方面的消息应是真正有用的。
先谢谢了。


解决方案

  

这是否意味着现在,如果我在谷歌Play商店更新这一新的APK,应用程序是否可以接受?


大概也许吧。谷歌使用向警方OpenSSL的脚本是pretty哑巴。他们旗的OpenSSL的版本号,而不是使用脆弱的功能。因为没有版本信息,该脚本可能不会触发它认为是一个坏的版本。



  

有没有一种方法来检查,如果我的OpenSSL的版本仍然是脆弱的问题(如从谷歌播放邮件提到的)?


是,使用字符串程序来转储OpenSSL的字符串。



  

有没有在我的APK正在使用的方式来获得的OpenSSL的版本(虽然,$解压-p YourApp.apk |字符串| grep的OpenSSL的,是不是能够列出的OpenSSL的版本)


我相信你需要检查这里的乡亲OpenTok。它看起来像OpenTok切换到 BoringSSL 在的版本2.4.0 。 BoringSSL OpenSSL的是谷歌的叉。

I have an app on Google play store. Recently i got a mail subjected:

Google Play 60-day deadline for resolving OpenSSL vulnerabilities

It states that i'm using a version of OpenSSL, which is vulnerable to some issues. However, i'm not using OpenSSL directly. I'm using OpenTok library for Video chatting feature, which internally uses OpenSSL. I'm currently using openTok SDK version 2.3.1. But according to this link http://www.tokbox.com/blog/mobile-sdks-2-2-1-resolve-openssl-vulnerability/ all OpenSSL vulnerabilities were solved from SDK version 2.2.1 onwards. (I'm currently using 2.3.1, which came must later after 2.2.1)

I used the below command on my android application (APK file):

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

I got the below logs:

"OpenSSL"
GmsCore_OpenSSL
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface

From the above logs i get a confirmation that in my current apk, OpenTok is using OpenSSL OpenSSL 1.0.1e.

Hence i have update the OpenTok library with the latest version which comes with opentok-android-sdk-2.5.0. After integrating/updating to the new library, i execute the below command:

  $ unzip -p YourApp.apk | strings | grep "OpenSSL"

Below are the logs for the APK with update OpenTok library:

"OpenSSL"
GmsCore_OpenSSL
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,

Here, we do not see any version of OpenSSL in the obtained logs.

So my questions are:

  • Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?
  • Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?
  • Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)

Note:

I have gone through this Google Play OpenSSL warning message post and all the solutions provided there but i'm not able to get the OpenSSL version.

Any information on this shall be really helpful. Thanks in advance.

解决方案

Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?

Probably to Maybe. The script Google uses to police OpenSSL is pretty dumb. They flag OpenSSL for versions numbers, and not use of vulnerable functions. Since there's no version information, the script may not trigger on what it believes to be a bad version.


Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?

Yes, use the strings program to dump the OpenSSL strings.


Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)

I believe you need to check with the OpenTok folks here. It looks like OpenTok switched to BoringSSL at version 2.4.0. BoringSSL is Google's fork of OpenSSL.

这篇关于opentok-Android的SDK-2.3.1和OpenSSL漏洞问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆