kiwix-desktop
kiwix-desktop copied to clipboard
kiwix
AppImage on Ubuntu 22.04.1 LTS: cannot call unresolved function SSL_get_peer_certificate
I suppose the app tries to populate the UI with catalog info from kiwix.org, but fails to do so:
$ ~/Downloads/kiwix-desktop_x86_64_2.2.2-1.appimage
add widget
Downloading "https://library.kiwix.org:443/catalog/search?lang=deu&count=-1"
qt.network.ssl: QSslSocket: cannot resolve EVP_PKEY_base_id
qt.network.ssl: QSslSocket: cannot resolve SSL_get_peer_certificate
qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get_peer_certificate
Downloading "https://library.kiwix.org:443/catalog/search?lang=deu&count=-1"
qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get_peer_certificate
Downloading "https://library.kiwix.org:443/catalog/search?lang=eng&count=-1"
qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get_peer_certificate
session saved
This is on
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
The app runs, but there is nothing to see or to choose from (because "I suppose the app tries to populate the UI with catalog info from kiwix.org, but fails to do so").
I'm able to reproduce on Wayland and XOrg:
Downloading "https://library.kiwix.org:443/catalog/search?lang=eng&count=-1" qt.network.ssl: QSslSocket: cannot resolve EVP_PKEY_base_id qt.network.ssl: QSslSocket: cannot resolve SSL_get_peer_certificate qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get_peer_certificate
Appimage filename: kiwix-desktop_x86_64_2.3.0.appimage
System: Ubuntu 22.04.1 LTS - at today's patch level Intel® Core™ i7-10750H Quadro T2000 Mobile MAX-Q Mesa Intel® UHD Graphics 80 GiB RAM 806 GiB free on volume
My suspicion is that the appimage is built for a previous major version of openssl.
Upon closer inspection, the AppImage does not contain ssl libraries. As I understand, of the primary purposes of AppImage is to encapsulate (at least) the first order dependencies of an application in order to make it functional in a broader range of environments.
This seem like a critical bug.
@tokyojb This seems legitimate @mgautierfr Actually it seems quite a good idea to embeds both the libopenssl AND the truststore. This is also not a problem which is specific to appimage IMO, the flatpak/flathub seems concerned as well to me.
I ran into a very similar problem on a different application. The problem is caused by the fact that openssl 3.0 has dropped these particular x509 functions. A relatively simple workaround is to build openssl 1.1 and softlink the libcrypto.so and libssl.so libraries into the lib path for the application...
@mgautierfr We need the technical analysis here. Looks all distribution with opennSSL 3.0 are impacted!
Edit: Can we apply this workaround? https://stackoverflow.com/questions/71997447/qt-missing-openssl-3-x-support-on-ubuntu-22-04
We need the technical analysis here
Well, as it has already been guessed by others, it seems it is a issue with openssl version compatibility.
- Glibc ascendant compatibility ensure us that if we build with a glibc version N, we can run our program with all glibc >N. So we build our appimage on the "oldest alive lts version of ubuntu" (This is even "enforced" by linuxdeployqt https://github.com/probonopd/linuxdeployqt/issues/340)qtlinuxdeploy
- But openSSL 3.0 cannot run with binary build with openSSL 1.1.1 (the openssl version in focal). So our appimage is not compatible with most recent distribution (more exactly, distribution without openSSL 1.1 installed)
Possible solution/workaround:
- Ask users to install openSSL 1.1 on their distribution. (
openssl1.1of Fedora,libssl1.1on Ubuntu) - Create a appimage on a recent distribution. We would lost the compatibility with oldest distrib (or have two different appimage to distribute)
- Use flatpak kiwix-desktop. Flatpak is not impacted as the application is based on a fixed sdk (think about flatpak as docker for graphical applications)
- Embed ssl library and store in the appimage. This is mentioned here (https://github.com/probonopd/linuxdeployqt/issues/422#issuecomment-599032763), but it seems there is some (unclear to me) limitation/drawback to have the ssl library or the store embedded.
@mgautierfr Are you sure we can build on a recenter version of Ubuntu? I though appimage would not allow it! Which version of Ubuntu would that be? Focal?
Ah. I didn’t realize that there was a Flatpak for Kiwix. I’ll give that a go.
Thanks for the response and your ongoing efforts to maintain the application.
Are you sure we can build on a recenter version of Ubuntu? I though appimage would not allow it!
Yes we can. linuxdeployqt has a hidden option to bypass the enforcing. Should we ? This is another question :)
I though appimage would not allow it! Which version of Ubuntu would that be? Focal?
We already build the appimage on focal. This would be a distribution with Qt build using openssl 3.0 (I don't know which one)
Please note, that if we do so, the appimage may not even be launchable on old distribution. Currently, "only" the remote catalog handling (download) is broken. We still can use kiwix-desktop to read existing zim file.
@mgautierfr Acknowledged: prioriti is to get Kiwix on modern and oldet OSes, not the other way around.
FYI: I made a bug report with Qt hoping to get some tips: https://bugreports.qt.io/browse/QTBUG-115146
@mgautierfr @veloman-yunkan We are currently experimenting a pretty complex/sensitive solution/hack/workaround: embedding both TLS lib and trustore. Wouldn't be a better solution to justcompile on a recenter version of the GNU Linux distribution?
@kelson42 Are there any formal requirements/commitments about the appimage portability? E.g. "it should run on any linux distribution that is still officially supported by its vendor".
@kelson42 Are there any formal requirements/commitments about the appimage portability? E.g. "it should run on any linux distribution that is still officially supported by its vendor".
Not really. My requirements are thst it should run on recent stable versions and better run on older versions (and we are ready to put a bit of resources to achieve rhis las point).