12 Replies Latest reply: Aug 25, 2010 1:54 PM by Nils C. Anderson
mickey13 Level 1 Level 1 (0 points)
Does Apple have a preferred / official way to update OpenSSL for Snow Leopard?

If not, does the existing version need to be removed if the new version is compiled from source? Are there any complications with that? And what all gets installed? I get /usr/bin/openssl when I run "which openssl", but only the executable is there. Are there libraries that need to be replaced? Thanks for the help.

MacBook Pro, Mac OS X (10.6.4)
  • Nils C. Anderson Level 4 Level 4 (3,495 points)
    I'm certainly no expert. But if you download and compile a version from http://openssl.org/. It can
    co-exist with the version that comes with OS X.

    I just compiled


    OpenSSL 1.0.0a 1 Jun 2010
    built on: Fri Aug 20 18:19:22 EDT 2010


    and it built without any problems or complications. All tests were successful as well.

    I'll leave the other question for someone that knows more that I.
  • etresoft Level 7 Level 7 (27,125 points)
    Nils is correct. You do not want to replace any part of the OS. If, for some reason, you must have a newer version of openssl, download the source, compile, and install it. Then, any programs you build that use OpenSSL will use your new version.
  • mickey13 Level 1 Level 1 (0 points)
    Thanks for the replies. When I've compiled some things from source before (Ruby 1.9.1 for example), I feel like I'm not guaranteed that it will always be used as opposed to a previous version. In the Ruby example, when I ran "ruby -v" I would get 1.9.1, but on my webpages, I would see the older version listed. I felt like I might get the same behavior if I built OpenSSL the same way. Any ideas?
  • BobHarris Level 6 Level 6 (15,965 points)
    You have to set your PATH environment variables correctly, for the environments where you want to run the command.
  • etresoft Level 7 Level 7 (27,125 points)
    mickey13 wrote:
    When I've compiled some things from source before (Ruby 1.9.1 for example), I feel like I'm not guaranteed that it will always be used as opposed to a previous version. In the Ruby example, when I ran "ruby -v" I would get 1.9.1, but on my webpages, I would see the older version listed.


    That is because the new version of Ruby that you built has no effect on the version that Apache was built with.

    I felt like I might get the same behavior if I built OpenSSL the same way. Any ideas?


    I'm positive that you would get exactly the same behavior. Why do you want a newer version of OpenSSL?
  • mickey13 Level 1 Level 1 (0 points)
    Ruby would be a module, right; not compiled as part of apache?

    Got an SSL negotiation error when I did a large subversion commit. Figured updating might fix that.
  • etresoft Level 7 Level 7 (27,125 points)
    mickey13 wrote:
    Ruby would be a module, right; not compiled as part of apache?


    I don't know for sure. All of the official Apache modules need to be built with the same settings that Apache is built with. If you need to update one, you normally have to update them all. That can get messy in a hurry.

    I don't know how Ruby specifically is handled. It could be a module or the Apache config files could define a specific path to use for Ruby. Perl, for example, can be done either way.

    Got an SSL negotiation error when I did a large subversion commit. Figured updating might fix that.


    I doubt it. It would be best to focus on identifying and resolving those errors.
  • mickey13 Level 1 Level 1 (0 points)
    For a workaround, I just did a bunch of small commits and it worked fine. To me this sounds like a bug that very well could have been resolved going from OpenSSL 0.9.8l to 1.0.0a, especially since it's a major release. But if updating the software could cause more problems than it fixes then it seems better to not try it. I just don't get why the version shipped with Mac OS X is treated as a special case, and shouldn't ever be touched. My understanding is, that is the case with any software that someone wants to update via compiling it from source.
  • etresoft Level 7 Level 7 (27,125 points)
    mickey13 wrote:
    I just don't get why the version shipped with Mac OS X is treated as a special case, and shouldn't ever be touched. My understanding is, that is the case with any software that someone wants to update via compiling it from source.


    Anything shipped with MacOS X is a special case. You shouldn't update it unless you absolutely have to. The open-source programmers who write this stuff do NOT test or build on MacOS X. You don't want to install it until Apple has built the OS with it.

    If there is something you really need and/or want, you can always install it into some non-system path such as /usr/local and build your own applications with it. There is no guarantee it will build or work properly.

    The one thing you don't ever want to do is try to replace anything that Apple ships. Even if it works, it could easily break future software updates and leave you vulnerable to all sorts of bugs and security holes. That is, of course, assuming you haven't hosed your system entirely.
  • mickey13 Level 1 Level 1 (0 points)
    Does Apple update their version OpenSSL and other open source packages that they use?
  • etresoft Level 7 Level 7 (27,125 points)
    mickey13 wrote:
    Does Apple update their version OpenSSL and other open source packages that they use?


    Sure, just not that often. Apple updates much more frequently than the big Linux distributions like RedHat or CentOS.
  • Nils C. Anderson Level 4 Level 4 (3,495 points)
    It may also be the case that while apple doesn't do update to the latest version of openssl, or other package. The may still back port some of the bug fixes to older versions of openssl. You have to check the change logs for openssl to see if this is the case though.