Why is QsslSocket working with Qt 5.3 but not Qt 5.7 on Debian Stretch?

I have an app that uses the QWebSocket class but not SSL. It works fine when I execute a version compiled with Qt 5.3 but a Qt 5.7 executable freezes on the following warnings:

QSslSocket: cannot resolve CRYPTO_num_locks
QSslSocket: cannot resolve CRYPTO_set_id_callback
QSslSocket: cannot resolve CRYPTO_set_locking_callback
QSslSocket: cannot resolve ERR_free_strings
QSslSocket: cannot resolve EVP_CIPHER_CTX_cleanup
QSslSocket: cannot resolve EVP_CIPHER_CTX_init
QSslSocket: cannot resolve sk_new_null
QSslSocket: cannot resolve sk_push
QSslSocket: cannot resolve sk_free
QSslSocket: cannot resolve sk_num
QSslSocket: cannot resolve sk_pop_free
QSslSocket: cannot resolve sk_value
QSslSocket: cannot resolve SSL_library_init
QSslSocket: cannot resolve SSL_load_error_strings
QSslSocket: cannot resolve SSL_get_ex_new_index
QSslSocket: cannot resolve SSLv2_client_method
QSslSocket: cannot resolve SSLv3_client_method
QSslSocket: cannot resolve SSLv23_client_method
QSslSocket: cannot resolve SSLv2_server_method
QSslSocket: cannot resolve SSLv3_server_method
QSslSocket: cannot resolve SSLv23_server_method
QSslSocket: cannot resolve X509_STORE_CTX_get_chain
QSslSocket: cannot resolve OPENSSL_add_all_algorithms_noconf
QSslSocket: cannot resolve OPENSSL_add_all_algorithms_conf
QSslSocket: cannot resolve SSLeay
QSslSocket: cannot resolve SSLeay_version
QSslSocket: cannot call unresolved function CRYPTO_num_locks
QSslSocket: cannot call unresolved function CRYPTO_set_id_callback
QSslSocket: cannot call unresolved function CRYPTO_set_locking_callback
QSslSocket: cannot call unresolved function SSL_library_init
QSslSocket: cannot call unresolved function SSLv23_client_method
QSslSocket: cannot call unresolved function sk_num

I am not seeing these warnings in the 5.3 version (that works properly), which suggests that I should not ignore them, as asked in this question. Also, QT += network is already in my src.pro.

I was led to believe that Debian dropped these symbols from the openssl package. Could anyone tell me what's going on here and how I could fix this?

System information

I'm running on Debian stretch

$ uname -r
4.8.0-2-amd64

I have openssl and libssl-dev installed

openssl is already the newest version (1.1.0c-2). 
libssl-dev is already the newest version (1.1.0c-2).

I've tried running this with Qt 5.3 and 5.7

$ qmake -v
QMake version 3.0
Using Qt version 5.7.1 in /usr/lib/x86_64-linux-gnu

Answers


TL;DR

Debian Stretch is shipped with OpenSSL 1.1; Qt uses OpenSSL 1.0; give Qt what it needs:

apt install libssl1.0-dev

Detailed answer

From this answer about OpenSSL and Qt, I found a hint and I displayed SSL library version used for compile-time and run-time using:

qDebug()<<"SSL version use for build: "<<QSslSocket::sslLibraryBuildVersionString();
qDebug()<<"SSL version use for run-time: "<<QSslSocket::sslLibraryVersionNumber();
qDebug()<<QCoreApplication::libraryPaths();

And it displays:

SSL version use for build:  "OpenSSL 1.0.1e-fips 11 Feb 2013"
... lot of SSL warnings...
SSL version use for run-time:  0
("/opt/Qt/5.8/gcc_64/plugins", "/home/Project/..../build...Desktop_Qt_5_8_0_GCC_64bit-Release/src/release/build_linux_64")

But Debian Stretch is shipped with OpenSSL 1.1. As expected, all the threads on the Web about this issue are true: this is an OpenSSL library version compatibility issue.

I "apt install libssl1.0-dev" and the problem was solved. I still have 2 SSL warnings about SSLv3, but at least this is only warning (I read something on the Web about it, no way to find it again).

SSL version use for build:  "OpenSSL 1.0.1e-fips 11 Feb 2013"
QSslSocket: cannot resolve SSLv3_client_method
QSslSocket: cannot resolve SSLv3_server_method
SSL version use for run-time:  268443839
("/opt/Qt/5.8/gcc_64/plugins", "/home/Project/..../build...Desktop_Qt_5_8_0_GCC_64bit-Release/src/release/build_linux_64")

Summary

Until Qt supports OpenSSL 1.1, you can either:

  1. Install OpenSSL 1.0 (possible in Debian)
  2. Compile OpenSSL 1.0 and install it (I did not test, but should work as 1.)
  3. Ship OpenSSL 1.0 with your Qt application (I did not test, but should work as 1.)
  4. Recompile Qt with "-openssl-linked" option (according to this answer, I did not test and I do not want to)

I had the same problem on a debian stretch server. I fixed it with the help of 7hibaults comment.

Running the following command fixed the problem for me:

sudo apt-get install libssl1.0-dev

Fylhan's answer does not work under Debian Buster as libssl1.0-dev was a transition package and is not supported anymore.

There is a bug report on Qt's Website and from Giuseppe d'Angelo's comment there are the following workarounds :

Workaround 1

If your distribution has a directory for OpenSSL 1.0 with the right symlinks (e.g. Arch has /usr/lib/openssl-1.0/libssl.so) use LD_LIBRARY_PATH to force that directory to be searched first.

Workaround 2

Make your own directory with symlinks, and use LD_LIBRARY_PATH for that.

Workaround 3

Rebuild your own Qt.

I could fix the problem using the second solution, commands detailed below in my case:

  1. mkdir openssl1.0 ; cd openssl1.0
  2. cp /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 libssl.so.1.0.2
  3. ln -s libssl.so.1.0.2 libssl.so
  4. in QtCreator, Projects > Desktop Qt 5.8.0 > Build > Build Environment > Add : Variable LD_LIBRARY_PATH, Value /path/to/dir/openssl1.0 (or add LD_LIBRARY_PATH="/path/to/dir/openssl1.0" before your command from the console)

You could need to do the same with libcrypto.so as well, but this was enough for me. This solution prevents you from changing the symlinks for the whole system.


You have to install the following package with the following command in order to fix the problem:

sudo apt install libssl1.0-dev

I have problem with Qt 5.11.1 on Ubuntu 16.04.

I got the ssl version used for Qt by running

qDebug()<<"SSL version use for build: "<<QSslSocket::sslLibraryBuildVersionString();

Which print

SSL version use for build: "OpenSSL 1.0.2k-fips 26 Jan 2017"

I resolved the problem by building openssl-1.0.2k got from here http://www.linuxfromscratch.org/blfs/view/8.0/postlfs/openssl.html.

Then run the command to build

./config --prefix=./usr --openssldir=./etc/ssl  --libdir=lib   shared   zlib-dynamic
make

After make successfully completed I got follwing library build in current directory

path/openssl-1.0.2k/libssl.so.1.0.0
path/openssl-1.0.2k/libssl.so
path/openssl-1.0.2k/libcrypto.so.1.0.0
path/openssl-1.0.2k/libcrypto.so 

Then Open QtCreator, Projects > Desktop Qt 5.11.1 GCC 64bit > Build > Build Environment > Add : Variable LD_LIBRARY_PATH with value path/openssl-1.0.2k.

In my case LD_LIBRARY_PATH already exist with some value so I edited it like :/home/user/Qt5.11.1/Tools/QtCreator/lib/Qt/lib::path/openssl-1.0.2k

The above steps resolve the ssl warning problem with Qt5.11.1 on Ubuntu 16.04.


You have to change this symlinks in /usr/lib/x86_64-linux-gnu from:

libcrypto.so → libcrypto.so.1.1 libssl.so → libssl.so.1.1

to:

libcrypto.so → libcrypto.so.1.0.2 libssl.so → libssl.so.1.0.2


Need Your Help

How do I find my IOS app's archive file?

ios xcode macos ipa macos-sierra

I have Mac OS Sierra. Unfortunately, I cannot upload my app due to a bug in Xcode 7.3.1 that makes it impossible to upload to iTunes Connect from Mac OS Sierra.

How to lock down paths in ASP.NET MVC?

asp.net-mvc web-config forms-authentication asp.net-authorization

I'm playing around with MVC 4 for the first time to check out what's been changed/added/etc compared to MVC 3.