LibreSSL and OpenSSL and *SSL
Jan Stary
hans at stare.cz
Wed Feb 21 20:29:23 UTC 2018
On Feb 21 16:05:41, hans at stare.cz wrote:
> First things first: the newer releases of MacOS (10.13.2 here)
> already provide various implementations of crypto/ssl/tls,
> including OpenSSL, LibreSSL and (Google's) BoringSSL:
>
> hans at fitbook:~$ ls -l /usr/lib/*ssl*
> -rwxr-xr-x 1 root wheel 1236144 Jan 19 09:32 /usr/lib/libboringssl.dylib
> -rwxr-xr-x 1 root wheel 392912 Dec 1 20:39 /usr/lib/libssl.0.9.7.dylib
> -rwxr-xr-x 1 root wheel 630144 Dec 1 20:38 /usr/lib/libssl.0.9.8.dylib
> -rw-r--r-- 1 root wheel 947104 Dec 1 20:38 /usr/lib/libssl.35.dylib
> -rw-r--r-- 1 root wheel 890800 Dec 1 20:39 /usr/lib/libssl.43.dylib
> lrwxr-xr-x 1 root wheel 15 Dec 10 11:39 /usr/lib/libssl.dylib -> libssl.35.dylib
>
> hans at fitbook:~$ ls -l /usr/lib/*tls*
> -rwxr-xr-x 1 root wheel 287408 Dec 1 20:39 /usr/lib/libcoretls.dylib
> -rwxr-xr-x 1 root wheel 60464 Dec 1 20:39 /usr/lib/libcoretls_cfhelpers.dylib
> -rw-r--r-- 1 root wheel 159264 Dec 1 20:39 /usr/lib/libtls.15.dylib
> -rw-r--r-- 1 root wheel 92032 Dec 1 20:39 /usr/lib/libtls.6.dylib
> lrwxr-xr-x 1 root wheel 14 Dec 10 11:39 /usr/lib/libtls.dylib -> libtls.6.dylib
>
> hans at fitbook:~$ ls -l /usr/lib/*crypto*
> -rwxr-xr-x 1 root wheel 13520 Jan 19 09:32 /usr/lib/libapple_crypto.dylib
> -rwxr-xr-x 1 root wheel 2023584 Dec 1 20:39 /usr/lib/libcrypto.0.9.7.dylib
> -rwxr-xr-x 1 root wheel 2599488 Dec 1 20:38 /usr/lib/libcrypto.0.9.8.dylib
> -rw-r--r-- 1 root wheel 4228016 Dec 1 20:39 /usr/lib/libcrypto.35.dylib
> -rw-r--r-- 1 root wheel 4274800 Dec 1 20:39 /usr/lib/libcrypto.41.dylib
> lrwxr-xr-x 1 root wheel 18 Dec 10 11:39 /usr/lib/libcrypto.dylib -> libcrypto.35.dylib
> lrwxr-xr-x 1 root wheel 54 Dec 10 11:39 /usr/lib/libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos
>
>
> The default SSL implementation is /usr/lib/libssl.dylib -> libssl.35.dylib,
> the base MacOS binaries are compiled against (wait for it) LibreSSL,
>
> hans at fitbook:~$ /usr/bin/curl --version
> curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20
> zlib/1.2.11 nghttp2/1.24.0
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
> SSL libz HTTP2 UnixSockets HTTPS-proxy
>
Also,
$ /usr/bin/openssl
OpenSSL> version
LibreSSL 2.2.7
> and if you link with -lssl, you are using LibreSSL:
>
> hans at fitbook$ cc -o prog prog.c -lssl
> hans at fitbook$ otool -L ./prog
> ./prog:
> /usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0)
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
>
>
> Let me say it again:
> MacOS _has_already_moved_ to LibreSSL as the default.
The adoption seems to have started no later than with 10.11.4
https://eclecticlight.co/2016/03/23/the-tls-mess-in-os-x-el-capitan/
(The latest I have before this 10.13.2 is 10.6.8)
Jan
More information about the macports-dev
mailing list