LibreSSL and OpenSSL and *SSL

Jan Stary hans at stare.cz
Wed Feb 21 20:29:23 UTC 2018 

On Feb 21 16:05:41, hans at stare.cz wrote:
> First things first: the newer releases of MacOS (10.13.2 here)
> already provide various implementations of crypto/ssl/tls,
> including OpenSSL, LibreSSL and (Google's) BoringSSL:
> 
> hans at fitbook:~$ ls -l /usr/lib/*ssl*
> -rwxr-xr-x  1 root  wheel  1236144 Jan 19 09:32 /usr/lib/libboringssl.dylib
> -rwxr-xr-x  1 root  wheel   392912 Dec	1 20:39 /usr/lib/libssl.0.9.7.dylib
> -rwxr-xr-x  1 root  wheel   630144 Dec	1 20:38 /usr/lib/libssl.0.9.8.dylib
> -rw-r--r--  1 root  wheel   947104 Dec	1 20:38 /usr/lib/libssl.35.dylib
> -rw-r--r--  1 root  wheel   890800 Dec	1 20:39 /usr/lib/libssl.43.dylib
> lrwxr-xr-x  1 root  wheel	15 Dec 10 11:39 /usr/lib/libssl.dylib -> libssl.35.dylib
> 
> hans at fitbook:~$ ls -l /usr/lib/*tls*
> -rwxr-xr-x  1 root  wheel  287408 Dec  1 20:39 /usr/lib/libcoretls.dylib
> -rwxr-xr-x  1 root  wheel   60464 Dec  1 20:39 /usr/lib/libcoretls_cfhelpers.dylib
> -rw-r--r--  1 root  wheel  159264 Dec  1 20:39 /usr/lib/libtls.15.dylib
> -rw-r--r--  1 root  wheel   92032 Dec  1 20:39 /usr/lib/libtls.6.dylib
> lrwxr-xr-x  1 root  wheel      14 Dec 10 11:39 /usr/lib/libtls.dylib -> libtls.6.dylib
> 
> hans at fitbook:~$ ls -l /usr/lib/*crypto*
> -rwxr-xr-x  1 root  wheel    13520 Jan 19 09:32 /usr/lib/libapple_crypto.dylib
> -rwxr-xr-x  1 root  wheel  2023584 Dec	1 20:39 /usr/lib/libcrypto.0.9.7.dylib
> -rwxr-xr-x  1 root  wheel  2599488 Dec	1 20:38 /usr/lib/libcrypto.0.9.8.dylib
> -rw-r--r--  1 root  wheel  4228016 Dec	1 20:39 /usr/lib/libcrypto.35.dylib
> -rw-r--r--  1 root  wheel  4274800 Dec	1 20:39 /usr/lib/libcrypto.41.dylib
> lrwxr-xr-x  1 root  wheel	18 Dec 10 11:39 /usr/lib/libcrypto.dylib -> libcrypto.35.dylib
> lrwxr-xr-x  1 root  wheel	54 Dec 10 11:39 /usr/lib/libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos
> 
> 
> The default SSL implementation is /usr/lib/libssl.dylib -> libssl.35.dylib,
> the base MacOS binaries are compiled against (wait for it) LibreSSL,
> 
>   hans at fitbook:~$ /usr/bin/curl --version
>   curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20
>   zlib/1.2.11 nghttp2/1.24.0
>   Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
>   pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
>   Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
>   SSL libz HTTP2 UnixSockets HTTPS-proxy 
> 

Also,

  $ /usr/bin/openssl 
  OpenSSL> version
  LibreSSL 2.2.7


> and if you link with -lssl, you are using LibreSSL:
> 
>   hans at fitbook$ cc -o prog prog.c -lssl
>   hans at fitbook$ otool -L ./prog
>   ./prog:
> /usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0)
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
> 
> 
> Let me say it again:
> MacOS _has_already_moved_ to LibreSSL as the default.

The adoption seems to have started no later than with 10.11.4
https://eclecticlight.co/2016/03/23/the-tls-mess-in-os-x-el-capitan/
(The latest I have before this 10.13.2 is 10.6.8)

	Jan

More information about the macports-dev mailing list