修復 cocos2dx v2.x 版 OpenSSL 過期的錯誤

文章撰寫日期︰2014/12/29 18:50
文章修改日期︰2014/12/30 10:20
文章修改次數︰1

一、問題

今天收到Google寄來的一封信,
跟我說我目前用的Cocos2d-x的OpenSSL協議版號過舊,
APK即將被強迫下架,
需要我盡快更新並重新上架。

內容如下︰
Your app is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible.

The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL""). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.

To confirm that you’ve upgraded correctly, upload the updated version to the Developer Console and check and after five hours.

This is the second warning we’ve sent you. Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

二、解決辦法

查了一下原來使cocos2dx引擎內建的OpenSSL版號使用過舊。

而前一陣子Google已經發表新聞稿(15年OpenSSL漏洞影響Android版Chrome,Google發布緊急更新),
因此也開始在抓OpenSSL過舊的APK。

請下載Cocos2dX v.2.x版更新檔並覆蓋取代底下的資料夾位置
/cocos2d-x/cocos2dx/platform/third_party/android/prebuilt/libcurl/libs

armeabi/libcurl.a覆蓋原來的armeabi/libcurl.a
armeabi-v7a/libcurl.a覆蓋原來的armeabi-v7a/libcurl.a
x86/libcurl.a覆蓋原來的x86/libcurl.a

如果下載連結失效,亦可至Github下載。

倘若用的是Cocos2dX v3.x版,請至此下載

更新完後,記得刪掉整個編譯出來的Android遊戲專案資料夾so檔,路徑如下
您的Android遊戲專案/proj.android/obj/local

並 $./build_native.sh 重新編譯您的遊戲專案即可修復問題。

三、其它

如果要知道現在apk使用OpenSSL的版號,
推薦一隻App︰Heartbleed Scanner

參考來源

1. cocos2dx官方論壇

沒有留言 :

張貼留言