Recent OpenSSL changes and CA certs

Aaron Madlon-Kay amake at macports.org
Wed Oct 13 04:58:32 UTC 2021


Hi all.

I know there are some important changes being made to the OpenSSL
ports. Today I updated my ports and now have the following installed:

% port installed name:openssl
The following ports are currently installed:
  openssl @1.1_0 (active)
  openssl10 @1.0.2u_2 (active)
  openssl11 @1.1.1l_2 (active)

Apparently as a result of this, my Ruby environment (managed by rbenv
+ ruby-build, both available as ports) seems to no longer be able to
connect to HTTPS hosts.

By some trial and error, I managed to find that symlinking the certs
installed by the curl-ca-bundle port into the new "real" home of
OpenSSL solved the problem:

sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt
/opt/local/libexec/openssl11/etc/openssl/cert.pem

Can anyone point me to a better solution?

I note that the Ruby OpenSSL module (built under the old OpenSSL port
regime) is linked to /opt/local/lib/{libssl,libcrypto}.1.1.dylib. If I
rebuild Ruby after updating to the new port regime, it is linked to
/opt/local/libexec/openssl11/lib/{libssl,libcrypto}.1.1.dylib. Either
way, SSL connections fail unless I symlink cert.pem as above. There
are no apparent breakages in the linking itself.

Thanks,
Aaron


More information about the macports-dev mailing list