On Sunday, 19 June 2022 14:29:33 PDT Chris Benesch wrote: > Build OpenSSL 3 and add its install directory lib/pkgconfig to > PKG_CONFIG_PATH and choose -openssl-linked as one of the config > parameters. If you can get through configure, it should build.
OpenSSL 3 isn't supported in 5.15. Use the very latest release from 1.1, but no older and no newer. Then there's the question of whether you want to ship OpenSSL libraries with your product. If you do, then you must also keep an eye to OpenSSL security advisories and make proper and timely updates to your release. Be prepared to make new builds and release to customers once per month. If you can't sustain this rate, then don't ship OpenSSL. You don't have to do it: the default build doesn't link to OpenSSL, but instead tries to find it at runtime and dlopens() it. That places the burden of providing OpenSSL and keeping it up to date on your user, not you. If they choose to be vulnerable by choice or by ignorance, it's not your fault. If you choose this route, make sure your application works properly when OpenSSL 1.1 is missing. By "properly", I mean "doesn't crash left and right". Please make sure that it is not silently falling back to unencrypted connections where encrypted were required. If your application requires encrypted connections to work at all, then display a dialog with a link to documentation on how to install OpenSSL. PS: OpenSSL is the most visible and most important library when it comes to patching security vulnerabilities, but is not the only one. You should do the same for ALL libraries you ship with your application, and that includes ALL the libraries that are bundled inside Qt's source. For example, the just- released Qt 5.15.5-LTS includes a vulnerable version of zlib, so you should patch it. Better yet, don't use bundled libraries. -- Thiago Macieira - thiago.macieira (AT) intel.com Cloud Software Architect - Intel DCAI Cloud Engineering _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
