How to upgrade OpenSSL (macOS)

How to upgrade OpenSSL (macOS)

Image for postRequesting and obtaining a certificate from a CA

Problem : OpenSSL Security Advisory [3rd May 2016] High severitySolution : Update it 🙂

Mac OSX 10.11.4

Check version

$ openssl version -a

Backup old version

$ sudo mv /usr/bin/openssl /usr/bin/openssl-old

For 10.12.2 will get?(and maybe this should help)mv: rename /usr/bin/openssl to /usr/bin/openssl-old: Operation not permitted

Or remove old version (skip this if you already backup)

$ sudo rm /usr/bin/openssl

Install Homebrew if you didn?t have

$ /usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

Or update if you already have

$ brew update && brew upgrade

Install OpenSSL with Homebrew

$ brew install openssl

Symbolic link

$ brew link –force openssl

[UPDATE] 2016/12/11

OpenSSL 1.0.2j, Homebrew 1.1.2, Mac 10.11.6

You?ll see?

Warning: Refusing to link: opensslLinking keg-only openssl means you may end up linking against the insecure,deprecated system OpenSSL while using the headers from Homebrew?s openssl.Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib

And yes we?re doom! But no worry we can manually link it with steps below.

1. Ensure it exist

$ ls -l /usr/local/opt/openssl

You should see (after $ brew install openssl)

lrwxr-xr-x 1 katopz admin 24 Sep 29 00:21 /usr/local/opt/openssl -> ../Cellar/openssl/1.0.2j

2. Link it

$ sudo ln -s /usr/local/Cellar/openssl/1.0.2j/bin/openssl /usr/bin/openssl

For 10.12.2 you will get?(and maybe this should help)ln: /usr/bin/openssl: Operation not permitted

3. And maybe you?ll need this too

$ mkdir -p /usr/local/lib$ ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/$ ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/

Close Terminal and reopen then check version

$ openssl version -a

You should see?

OpenSSL 1.0.2j 26 Sep 2016built on: reproducible build, date unspecifiedplatform: darwin64-x86_64-ccoptions: bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) idea(int) blowfish(idx)compiler: clang -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASMOPENSSLDIR: “/usr/local/etc/openssl”

Nice! We?re safe now until another incident appear tho.

And next time you can just?

$ brew update && brew upgrade

Happy OpenSSLing!

23

No Responses

Write a response