Why is QsslSocket working with Qt 5.3 but not Qt 5.7 on Debian Stretch?

7hibault picture 7hibault · Feb 7, 2017 · Viewed 20.9k times · Source

I have an app that uses the QWebSocket class but not SSL. It works fine when I execute a version compiled with Qt 5.3 but a Qt 5.7 executable freezes on the following warnings:

QSslSocket: cannot resolve CRYPTO_num_locks
QSslSocket: cannot resolve CRYPTO_set_id_callback
QSslSocket: cannot resolve CRYPTO_set_locking_callback
QSslSocket: cannot resolve ERR_free_strings
QSslSocket: cannot resolve EVP_CIPHER_CTX_cleanup
QSslSocket: cannot resolve EVP_CIPHER_CTX_init
QSslSocket: cannot resolve sk_new_null
QSslSocket: cannot resolve sk_push
QSslSocket: cannot resolve sk_free
QSslSocket: cannot resolve sk_num
QSslSocket: cannot resolve sk_pop_free
QSslSocket: cannot resolve sk_value
QSslSocket: cannot resolve SSL_library_init
QSslSocket: cannot resolve SSL_load_error_strings
QSslSocket: cannot resolve SSL_get_ex_new_index
QSslSocket: cannot resolve SSLv2_client_method
QSslSocket: cannot resolve SSLv3_client_method
QSslSocket: cannot resolve SSLv23_client_method
QSslSocket: cannot resolve SSLv2_server_method
QSslSocket: cannot resolve SSLv3_server_method
QSslSocket: cannot resolve SSLv23_server_method
QSslSocket: cannot resolve X509_STORE_CTX_get_chain
QSslSocket: cannot resolve OPENSSL_add_all_algorithms_noconf
QSslSocket: cannot resolve OPENSSL_add_all_algorithms_conf
QSslSocket: cannot resolve SSLeay
QSslSocket: cannot resolve SSLeay_version
QSslSocket: cannot call unresolved function CRYPTO_num_locks
QSslSocket: cannot call unresolved function CRYPTO_set_id_callback
QSslSocket: cannot call unresolved function CRYPTO_set_locking_callback
QSslSocket: cannot call unresolved function SSL_library_init
QSslSocket: cannot call unresolved function SSLv23_client_method
QSslSocket: cannot call unresolved function sk_num

I am not seeing these warnings in the 5.3 version (that works properly), which suggests that I should not ignore them, as asked in this question. Also, QT += network is already in my src.pro.

I was led to believe that Debian dropped these symbols from the openssl package. Could anyone tell me what's going on here and how I could fix this?

System information

I'm running on Debian stretch

$ uname -r
4.8.0-2-amd64

I have openssl and libssl-dev installed

openssl is already the newest version (1.1.0c-2). 
libssl-dev is already the newest version (1.1.0c-2).

I've tried running this with Qt 5.3 and 5.7

$ qmake -v
QMake version 3.0
Using Qt version 5.7.1 in /usr/lib/x86_64-linux-gnu

Answer

Fylhan picture Fylhan · Feb 17, 2017

TL;DR

Debian Stretch is shipped with OpenSSL 1.1; Qt uses OpenSSL 1.0; give Qt what it needs:

apt install libssl1.0-dev

Detailed answer

From this answer about OpenSSL and Qt, I found a hint and I displayed SSL library version used for compile-time and run-time using:

qDebug()<<"SSL version use for build: "<<QSslSocket::sslLibraryBuildVersionString();
qDebug()<<"SSL version use for run-time: "<<QSslSocket::sslLibraryVersionNumber();
qDebug()<<QCoreApplication::libraryPaths();

And it displays:

SSL version use for build:  "OpenSSL 1.0.1e-fips 11 Feb 2013"
... lot of SSL warnings...
SSL version use for run-time:  0
("/opt/Qt/5.8/gcc_64/plugins", "/home/Project/..../build...Desktop_Qt_5_8_0_GCC_64bit-Release/src/release/build_linux_64")

But Debian Stretch is shipped with OpenSSL 1.1. As expected, all the threads on the Web about this issue are true: this is an OpenSSL library version compatibility issue.

I "apt install libssl1.0-dev" and the problem was solved. I still have 2 SSL warnings about SSLv3, but at least this is only warning (I read something on the Web about it, no way to find it again).

SSL version use for build:  "OpenSSL 1.0.1e-fips 11 Feb 2013"
QSslSocket: cannot resolve SSLv3_client_method
QSslSocket: cannot resolve SSLv3_server_method
SSL version use for run-time:  268443839
("/opt/Qt/5.8/gcc_64/plugins", "/home/Project/..../build...Desktop_Qt_5_8_0_GCC_64bit-Release/src/release/build_linux_64")

Summary

Until Qt supports OpenSSL 1.1, you can either:

  1. Install OpenSSL 1.0 (possible in Debian)
  2. Compile OpenSSL 1.0 and install it (I did not test, but should work as 1.)
  3. Ship OpenSSL 1.0 with your Qt application (I did not test, but should work as 1.)
  4. Recompile Qt with "-openssl-linked" option (according to this answer, I did not test and I do not want to)