How to upgrade OpenSSL in OS X?

security openssl software-update

For what it's worth, I just used homebrew (http://brew.sh/):

brew update  
brew install openssl  
brew link --force openssl 
openssl version -a

If one of the bad versions come up (1.0.1a-f), you can figure out which version of openssl you're using, this way:

which openssl

Often this is from /usr/bin. To make sure you get the updated version, drop a symlink into /usr/local/bin to point to the updated openssl, like this: 

ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/local/bin/openssl

As an alternative to that final step, some people replace the openssl in /usr/bin with a symlink to /usr/local/Cellar/openssl/1.0.1g/bin/openssl (or whatever your version is): 

mv /usr/bin/openssl /usr/bin/openssl_OLD  
ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/bin/openssl

But this is known to cause problems with some more recent versions of OSX. Better to just insert a new symlink into /usr/local/bin, which should take precedence on your path over /usr/bin.


Or for those who are using mac ports, and are not worried about keeping the version

sudo port upgrade openssl

simples :-)


For resolving OCSP Status Request extension unbounded memory growth (CVE-2016-6304) on macOS Sierra using brew with System Integrity Protection enabled:

  1. Temporarily adjust permissions on /usr/local so brew can update:

    sudo chgrp -R admin /usr/local
sudo chmod -R g+w /usr/local

  2. Install the updated version of OpenSSL (you probably want 1.0.2i):

    brew install openssl

  3. You may want/need to delete an existing symlink to openssl from /usr/local/bin:

    rm /usr/local/bin/openssl

  4. Re-link the proper brew version:

    sudo ln -s /usr/local/Cellar/openssl/1.0.2i/bin/openssl /usr/local/bin/openssl

  5. Restore original permissions on /usr/local/bin:

    sudo chown root:wheel /usr/local

Whoever doesn't want to use brew or ports and just wants to replace the default OpenSSL 0.9.8 installation can always disable system integrity protection by rebooting into recovery mode (cmd+R) and issuing

csrutil disable

and afterwards compile openssl with

./config --prefix=/usr
make install

It successfully replaced OpenSSL in ElCapitan for me and I was able to compile curl and apache's httpd 2.4 without any issue directly from sources. The reasoning behind the method some might consider drastic is that ElCapitan is no longer maintained by Apple and no updates are forthcoming so it likely won't break. Secondly, it saves you from pointing to openssl folder in /usr/local for every program you compile making compilation more robust.

Related

How can I keep my Mac awake AND locked?
cmd-tab behavior on Mavericks with multiple displays
Is there a way to convert audio files in Mac OS X or the command line without using iTunes?
List all devices connected, lsblk for Mac OS X
How can I find color codes on Mac?
Keyboard shortcut to switch focus between multiple displays on OS X 10.9+
How can I prevent an SSH session from hanging in OS X Terminal?
How to change the default behaviour of the fullscreen/maximize button?
How do I delete all Terminal mail?
Convert .mov to .mp4
Onboard ethernet versus Intel NIC
Centos 7 - adding a user to sudoers group - still is not in the sudoers file - why?