updating openssl on MacOS

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

updating openssl on MacOS

Michael Richardson
(I'm a Linux desktop guy)
Sitting with a colleague, he's trying to get some code working that requires
ECDSA support, so openssl 1.1.0 or newer, and his Mac is infested with
0.98letter.

There are a a whole bunch of pages with a variety of recommendations.
None of them are on openssl.org...  I wonder if openssl.org shouldn't
include at least a page of advice that is know to work?

My colleague eventually did something like:
   brew update
   brew uninstall --force openssl       (unclear if this worked..)
   brew uninstall --ignore-dependancies openssl
   brew upgrade
   brew install openssl

and the libraries wound up in /usr/local/opt/{include,lib}.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: updating openssl on MacOS

OpenSSL - User mailing list
It's hard enough for the openssl team to document the basic config/build things, let alone all the operating systems and vendor-supplied stuff.

Perhaps a wiki page, that the community could help maintain?
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: updating openssl on MacOS

Dominyk Tiller
FWIW on macOS:

If you use Homebrew and want/need OpenSSL 1.1.1 then `brew install
openssl@1.1`. If you want the 1.0.2x series `brew install openssl`
currently is & will likely remain attached to 1.0.2x for the foreseeable.

If you use MacPorts and want OpenSSL 1.0.2x then `sudo port install
openssl`. As far as I'm aware MacPorts does not currently offer a port
for either 1.1.0x or 1.1.1x.

If you use Nix and want OpenSSL 1.1.1 then `nix-env -i openssl-1.1.1`
(I'm unsure if this has made it into a stable release of Nix yet) and if
you want OpenSSL 1.0.2x then `nix-env -i openssl-1.0.2p`. You can get
nix to spit out a list of OpenSSL versions available via `nix-env -qa
openssl`.

Hope this helps some. I'm not sure what the situation is with fink or
pkgsrc, or any newer package managers for the platform I'm unaware of.

Dom
===
Sent from macOS.

On 20/09/2018 20:53, Salz, Rich via openssl-users wrote:
> It's hard enough for the openssl team to document the basic config/build things, let alone all the operating systems and vendor-supplied stuff.
>
> Perhaps a wiki page, that the community could help maintain?
>  
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: updating openssl on MacOS

Blumenthal, Uri - 0553 - MITLL
Macports team is working on upgrading OpenSSL to 1.1.1. It takes time because they plan to move all the ports that depend on OpenSSL to that level. I assume that once that is done, 1.0.2 won't be supported/available on Macports anymore.

Installation - as Dominyk said: "sudo port install openssl" (possibly with parameters, check for them via "port info openssl"), and Macports would do the right thing. ;-)

I'm not aware of any efforts by Macports to support 1.1.0.

Thanks!

Regards,
Uri

On 9/20/18, 4:04 PM, "openssl-users on behalf of Dominyk Tiller" <[hidden email] on behalf of [hidden email]> wrote:

    FWIW on macOS:
   
    If you use Homebrew and want/need OpenSSL 1.1.1 then `brew install
    openssl@1.1`. If you want the 1.0.2x series `brew install openssl`
    currently is & will likely remain attached to 1.0.2x for the foreseeable.
   
    If you use MacPorts and want OpenSSL 1.0.2x then `sudo port install
    openssl`. As far as I'm aware MacPorts does not currently offer a port
    for either 1.1.0x or 1.1.1x.
   
    If you use Nix and want OpenSSL 1.1.1 then `nix-env -i openssl-1.1.1`
    (I'm unsure if this has made it into a stable release of Nix yet) and if
    you want OpenSSL 1.0.2x then `nix-env -i openssl-1.0.2p`. You can get
    nix to spit out a list of OpenSSL versions available via `nix-env -qa
    openssl`.
   
    Hope this helps some. I'm not sure what the situation is with fink or
    pkgsrc, or any newer package managers for the platform I'm unaware of.
   
    Dom
    ===
    Sent from macOS.
   
    On 20/09/2018 20:53, Salz, Rich via openssl-users wrote:
    > It's hard enough for the openssl team to document the basic config/build things, let alone all the operating systems and vendor-supplied stuff.
    >
    > Perhaps a wiki page, that the community could help maintain?
    >  
    >
    --
    openssl-users mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: updating openssl on MacOS

Viktor Dukhovni
In reply to this post by Michael Richardson


> On Sep 20, 2018, at 3:43 PM, Michael Richardson <[hidden email]> wrote:
>
> Sitting with a colleague, he's trying to get some code working that requires
> ECDSA support,

ECDSA support is also present in OpenSSL 1.0.2.  With recent versions of
MacOS you actually get LibreSSL with the base system:

  $ /usr/bin/openssl version
  LibreSSL 2.2.7

Despite (IMHO) its increasing obsolescence and irrelevance, the LibreSSL
fork of OpenSSL 1.0.2 also supports ECDSA.

$ /usr/bin/openssl ciphers -v aECDSA
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-NULL-SHA    SSLv3 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1

> so openssl 1.1.0 or newer, and his Mac is infested with
> 0.98letter.

That sounds like a Mac that's running a dated copy of the OS.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: updating openssl on MacOS

Blumenthal, Uri - 0553 - MITLL
On 9/20/18, 4:39 PM, "openssl-users on behalf of Viktor Dukhovni" <[hidden email] on behalf of [hidden email]> wrote:

    Despite (IMHO) its increasing obsolescence and irrelevance, the LibreSSL
    fork of OpenSSL 1.0.2 also supports ECDSA.

Yep.
   
    > so openssl 1.1.0 or newer, and his Mac is infested with
    > 0.98letter.
   
    That sounds like a Mac that's running a dated copy of the OS.
   
The latest released (High Sierra) MacOS has LibreSSL 2.2.7 - pretty dated (but no worries - it doesn't include .h files or linkable libraries for LibreSSL, as far as I could tell ;). The previous versions included 0.98letter.

Anybody who needs a "real" OpenSSL on MacOS either builds it himself (like what I'm doing with the master ;), or installs stable via Macports (ends up in /opt/local) or Brew (AFAIK, ends up in /usr/local/ssl).

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: updating openssl on MacOS

Dominyk Tiller
In reply to this post by Blumenthal, Uri - 0553 - MITLL
Thanks Uri.

On the Homebrew side the same sort of loose plan is being followed. I
recently departed the project for unrelated reasons but before I left I
was pushing a timetable of no later than Summer 2019 to have migrated
everything over to OpenSSL 1.1.1, likely with some package-availability
casualties, and the 1.0.2x series to be removed entirely by the end of
2019 when it hits EOL.

I was essentially the one pushing the timeline/roadmap on that so I
can't speak for what will happen now, but I would expect `brew install
openssl` to eventually equal installing OpenSSL 1.1.1x (Assuming there
isn't a broadly-compatible 1.1.2x or such by then, etc). 1.1.0x is no
longer available through Homebrew as of the 1.1.1 release, and again
whilst not an official comment any more, isn't likely to make a return.

Dom
===
Sent from macOS.

On 20/09/2018 21:36, Blumenthal, Uri - 0553 - MITLL wrote:

> Macports team is working on upgrading OpenSSL to 1.1.1. It takes time because they plan to move all the ports that depend on OpenSSL to that level. I assume that once that is done, 1.0.2 won't be supported/available on Macports anymore.
>
> Installation - as Dominyk said: "sudo port install openssl" (possibly with parameters, check for them via "port info openssl"), and Macports would do the right thing. ;-)
>
> I'm not aware of any efforts by Macports to support 1.1.0.
>
> Thanks!
> —
> Regards,
> Uri
>
> On 9/20/18, 4:04 PM, "openssl-users on behalf of Dominyk Tiller" <[hidden email] on behalf of [hidden email]> wrote:
>
>     FWIW on macOS:
>    
>     If you use Homebrew and want/need OpenSSL 1.1.1 then `brew install
>     openssl@1.1`. If you want the 1.0.2x series `brew install openssl`
>     currently is & will likely remain attached to 1.0.2x for the foreseeable.
>    
>     If you use MacPorts and want OpenSSL 1.0.2x then `sudo port install
>     openssl`. As far as I'm aware MacPorts does not currently offer a port
>     for either 1.1.0x or 1.1.1x.
>    
>     If you use Nix and want OpenSSL 1.1.1 then `nix-env -i openssl-1.1.1`
>     (I'm unsure if this has made it into a stable release of Nix yet) and if
>     you want OpenSSL 1.0.2x then `nix-env -i openssl-1.0.2p`. You can get
>     nix to spit out a list of OpenSSL versions available via `nix-env -qa
>     openssl`.
>    
>     Hope this helps some. I'm not sure what the situation is with fink or
>     pkgsrc, or any newer package managers for the platform I'm unaware of.
>    
>     Dom
>     ===
>     Sent from macOS.
>    
>     On 20/09/2018 20:53, Salz, Rich via openssl-users wrote:
>     > It's hard enough for the openssl team to document the basic config/build things, let alone all the operating systems and vendor-supplied stuff.
>     >
>     > Perhaps a wiki page, that the community could help maintain?
>     >  
>     >
>     --
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>    
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: updating openssl on MacOS

Michael Richardson
In reply to this post by OpenSSL - User mailing list
Salz, Rich via openssl-users <[hidden email]> wrote:
    > It's hard enough for the openssl team to document the basic
    > config/build things, let alone all the operating systems and
    > vendor-supplied stuff.

    > Perhaps a wiki page, that the community could help maintain?

that's what I had in mind.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users