Updating openssl due to security scan

31-Dec-2015 18:10 by 5 Comments

Updating openssl due to security scan - updating guidelines

I also suspect the IDE you are using could be providing a downlevel Open SSL version (I don't use the IDEs on Android, so I have not encountered it).

updating openssl due to security scan-2

The apps which use the Android NDK are using NDK 9d (the latest).

References: [1] https://weakdh.org/ This improves, but does not fix the client side as it sets the minimum size DH group to 768 for clients rather than 1024 or 2048.

Here the logic was modified to require a minimum size DH group of 1024, patch below.

I also have this problem because the version of Facebook's SDK I am using is not updated.

So if you are using it too, just try to use the updated version of Facebook's SDK v3.21.1, and that warning is solved.

No security updates for 1.0.0 and 0.9.8 will be provided after that.

Users are advised to upgrade to the latest versions of 1.0.1 or 1.0.2.

The issue affects all current Open SSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

Of note, support for Open SSL versions 1.0.0 and 0.9.8 will cease at the end of the year on 2015-12-31.

Google also provides Updating Your Security Provider to Protect Against SSL Exploits, but I suspect it will still trigger the message because it appears to be a basic string search.

Its often easier to update everything rather than trying to figure out who is providing the down level version of Open SSL.

An Open SSL security advisory issued earlier today on Thursday 2015-06-11 [1].