LibreSSL and OpenSSL and *SSL

Jan Stary hans at stare.cz
Wed Feb 21 15:05:41 UTC 2018 

A simple patch to allow opusfile to build against LibreSSL
https://github.com/macports/macports-ports/pull/1217
devolved into a OpenSSL/LibreSSL debate
that probably belongs here instead.


First things first: the newer releases of MacOS (10.13.2 here)
already provide various implementations of crypto/ssl/tls,
including OpenSSL, LibreSSL and (Google's) BoringSSL:

hans at fitbook:~$ ls -l /usr/lib/*ssl*
-rwxr-xr-x  1 root  wheel  1236144 Jan 19 09:32 /usr/lib/libboringssl.dylib
-rwxr-xr-x  1 root  wheel   392912 Dec	1 20:39 /usr/lib/libssl.0.9.7.dylib
-rwxr-xr-x  1 root  wheel   630144 Dec	1 20:38 /usr/lib/libssl.0.9.8.dylib
-rw-r--r--  1 root  wheel   947104 Dec	1 20:38 /usr/lib/libssl.35.dylib
-rw-r--r--  1 root  wheel   890800 Dec	1 20:39 /usr/lib/libssl.43.dylib
lrwxr-xr-x  1 root  wheel	15 Dec 10 11:39 /usr/lib/libssl.dylib -> libssl.35.dylib

hans at fitbook:~$ ls -l /usr/lib/*tls*
-rwxr-xr-x  1 root  wheel  287408 Dec  1 20:39 /usr/lib/libcoretls.dylib
-rwxr-xr-x  1 root  wheel   60464 Dec  1 20:39 /usr/lib/libcoretls_cfhelpers.dylib
-rw-r--r--  1 root  wheel  159264 Dec  1 20:39 /usr/lib/libtls.15.dylib
-rw-r--r--  1 root  wheel   92032 Dec  1 20:39 /usr/lib/libtls.6.dylib
lrwxr-xr-x  1 root  wheel      14 Dec 10 11:39 /usr/lib/libtls.dylib -> libtls.6.dylib

hans at fitbook:~$ ls -l /usr/lib/*crypto*
-rwxr-xr-x  1 root  wheel    13520 Jan 19 09:32 /usr/lib/libapple_crypto.dylib
-rwxr-xr-x  1 root  wheel  2023584 Dec	1 20:39 /usr/lib/libcrypto.0.9.7.dylib
-rwxr-xr-x  1 root  wheel  2599488 Dec	1 20:38 /usr/lib/libcrypto.0.9.8.dylib
-rw-r--r--  1 root  wheel  4228016 Dec	1 20:39 /usr/lib/libcrypto.35.dylib
-rw-r--r--  1 root  wheel  4274800 Dec	1 20:39 /usr/lib/libcrypto.41.dylib
lrwxr-xr-x  1 root  wheel	18 Dec 10 11:39 /usr/lib/libcrypto.dylib -> libcrypto.35.dylib
lrwxr-xr-x  1 root  wheel	54 Dec 10 11:39 /usr/lib/libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos


The default SSL implementation is /usr/lib/libssl.dylib -> libssl.35.dylib,
the base MacOS binaries are compiled against (wait for it) LibreSSL,

  hans at fitbook:~$ /usr/bin/curl --version
  curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20
  zlib/1.2.11 nghttp2/1.24.0
  Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
  pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
  Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
  SSL libz HTTP2 UnixSockets HTTPS-proxy 

and if you link with -lssl, you are using LibreSSL:

  hans at fitbook$ cc -o prog prog.c -lssl
  hans at fitbook$ otool -L ./prog
  ./prog:
/usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)


Let me say it again:
MacOS _has_already_moved_ to LibreSSL as the default.


(I'll reply to the comments from the original
closed thread in a followup mail.)

	Jan

More information about the macports-dev mailing list