Why is Apple using an older version of OpenSSL?
Solution 1:
Why is Apple using a vulnerable version of OpenSSL?
It isn't.
If you click on the link you posted in your question, you will see that this update patches a number of vulnerabilities which exist identically in OpenSSL 0.9.8, 1.0.0, 1.0.1, and 1.0.2.
So, in other words, the version you are later suggesting as an alternative, 1.0.2, was just as vulnerable as 0.9.8 was, and both were fixed at the same time.
With the newest OS X Update (10.10.5), Apple is introducing OpenSSL 0.9.8. I browsed through the official OpenSSL page, and there I could get Version 1.0.2.
Apple is updating OpenSSL to 0.9.8zg, which is just 2 months old, and only 4 weeks older than 1.0.2d.
My question is: Why is Apple using an older Version of OpenSSL? Is it because of deprecated functions in Version 1.0 or what is the reason behind it?
That is something you will have to ask Apple. My best guess is that 0.9.8 is the version they did their compatibility testing with, and upgrading to a newer version would require a completely new round of testing for a component that is deprecated anyway. Since it is deprecated, newer software (which would possibly rely on newer features) shouldn't use it anyway, and older software which still uses it doesn't use the new features (because they didn't exist) and might even be broken by an update, so why bother?
As long as the OpenSSL community still maintains the 0.9.8 branch, Apple doesn't even have to do the work of backporting patches.
Note that this is nothing unusual. Apple shipped an old version of Ruby for a very long time, and they generally don't update during a release cycle, only in between releases. Linux distributions as well BSDs and other Unix distributions also typically don't update versions during a release, they only apply bugfixes and security fixes. Debian, in particular, generally doesn't even fix all bugs, only security vulnerabilities and bugs which might result in loss of user data – any change, even a bugfix is a potential incompatibility and a potential for new bugs; known bugs are better than unknown ones!
Solution 2:
OpenSSL is deprecated officially. It exists (for what little time Apple allows going forward) to not break software that doesn't either migrate to Apple's alternative or bundle SSL internally with the app.
See the Apple Developer link for the deprecation announcement: (the other links are easier reading / more synthesis of the why as to the what)
- https://stackoverflow.com/questions/7406946/why-is-apple-deprecating-openssl-in-macos-10-7-lion
- http://rentzsch.tumblr.com/post/33696323211/wherein-i-write-apples-technote-about-openssl-on
- https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html