[Interest] SSL broken hard on OSX

Till Oliver Knoll till.oliver.knoll at gmail.com
Wed Sep 21 21:58:09 CEST 2016



> Am 21.09.2016 um 20:01 schrieb Thiago Macieira <thiago.macieira at intel.com>:
> 
>> On quarta-feira, 21 de setembro de 2016 19:52:45 PDT Jason H wrote:
>> I am on OSX 10.11.5. I've been using SSL successfully for a while, and I
>> fell into a habit of ignoring qt.network.ssl warnings: qt.network.ssl:
>> ...
>> 
>> But it seems now TLS is no longer working at all. I can't do any work
>> because everything happens over SSL, specifically TLSv1_2.
>> 
>> Does anyone know how I can fix (not hide) these issues?
> 
> Option 1) upgrade OpenSSL

Just to add to this: using OpenSSL on OS X/macOS is highly discouraged by Apple these days.

The stock version is some stoneage 0.9.8zf version, and recent Xcode/platform SDKs don't even ship with OpenSSL headers:

https://forums.developer.apple.com/thread/3897

"Since the version of openssl shipping with El Capitan is 0.9.8zf, it's not much use anyway since it doesn't include TLS 1.2."

and

"Sadly, it looks like we're not supposed to use it any more.  As you say, it's included in the 10.10 SDK, but is deliberately missing from the 10.11 SDK."


So you need to build your own OpenSSL library from its latest sources and bundle it with your application. Taking the responsibility to update your application each time a critical error is found in OpenSSL.


> 
> Option 2) use the native backend (SecureTransport) for SSL, not OpenSSL. 
> SecureTransport is the default in Qt 5.6.

On the other hand if you do as Thiago suggests (and I join in here), then the OS vendor takes care of keeping a security relevant component up to date, namely SecureTransport.

Cheers,
  Oliver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20160921/cd3f09fa/attachment.html>


More information about the Interest mailing list