Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

For those on OS X, `brew install libressl`. Note the actual binary is still called `openssl`, but you can tell because it's half the size.


Is `openssl` a symlink to `libressl`, which acts differently based on argv0?

I'd love to get away from some of openssl's arcane flags... :-)


It's not a symlink, but that's a good idea. Eg, openssl has 'nodes' (no DES) which means 'dont encrypt the file you're about to make' and if you omitted it and did encrypt it wouldn't use DES anymore anyway.


Doesn't iOS 9 use LibreSSL, too, now?


OSX 10.11 seems to ship with it too;

  /usr/bin/ssh -V
  OpenSSH_6.9p1, LibreSSL 2.1.7


The openssl binary in El Capitan (pretty sure this came with OS X 10.11 because of the path) is still on the 0.98 branch. Curious.

    $ openssl version
    OpenSSL 0.9.8zg 14 July 2015

    $ which openssl
    /usr/bin/openssl


Apple for the longest time shipped OpenSSL as a library that developers could link against in their binaries. Unfortunately OpenSSL even in minor versions could and would change function calls thereby making it almost impossible to keep up to date with OpenSSL for dynamic libraries because each new version required the developer to recompile the binary.

Apple thus stopped shipping OpenSSL and has officially deprecated it, these days you won't find headers for it anywhere in the stock system and there is no official way to link against it anymore either in El Capitan. It just exists for backwards compatibility.

If a developer now wants to use OpenSSL in their binary instead of the Common Crypto framework that Apple provides they will have to provide their own version of the library in their application, and they are then responsible for making sure users get patched in time.


Thanks. It looks like they're still shipping it (eg, it's in /usr/bin on El Capitan which is otherwise protected) but they're not shipping headers. Do you have a link for them deprecating it?


They put deprecation warnings in the headers starting with 10.7, and I'm pretty sure there was a WWDC talk (hopefully still available) mentioning it.

These two links roughly explain the issues/reasoning:

http://rentzsch.tumblr.com/post/33696323211/wherein-i-write-... http://ludovicrousseau.blogspot.com/2011/08/mac-os-x-lion-an...


Yep, they are still shipping the binary, mostly for compatibility for scripts that require it. I have a feeling even that binary is eventually going to get dropped.


Developers link against system OpenSSL, so Apple can basically never upgrade it.


I'm not sure that Apple promised to stay with OpenSSL. Apple developed CryptoCommons wrapper for some OpenSSL methods and I'm sure, that they can make it work with LibreSSL. I was under impression that it was made specifically to be able to drop OpenSSL when they would want it.


Those are the newer libraries you're _suppose_ to use, rather than OpenSSL. It's mostly older applications and codebases that limit Apple. I could imagine a stop-point but Apple obsesses a lot about not breaking backwards compatibility.

Don't forget their version is ancient (API-wise; they back-port fixes) and LibreSSL is much newer, so it's not a drop in replacement for such an old version.


> obsesses a lot about not breaking backwards compatibility

Lo, how times have changed. ;-)




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: