Как обновить OpenSSL в OS X?
Сегодня в дикой природе был анонсирован уязвимый OpenSSL-эксплойт, который позволяет злоумышленнику тайно обнаруживать и похищать приватные ключи сервера (позволяя им MitM и расшифровывать зашифрованные данные и воровать пароли). Это влияет на версии OpenSSL, включая 1.0.1f, которая является версией на моем современном Mac- компьютере Mavericks (потому что я использовал порт / brew для установки другого программного обеспечения, которое обновляло мой openssl, но я этого не осознавал ):
Это показывает, что я не использую версию OpenSL от Mavericks:
OpenSSL выпустил исправление сегодня в 1.0.1g, и мне интересно, как я могу установить эту исправленную версию поверх моей текущей версии?
Для чего это стоит, я просто использовал доморощенный ( http://brew.sh/ ):
Если появится одна из плохих версий (1.0.1a-f), вы можете выяснить, какую версию openssl вы используете, следующим образом:
Часто это из / usr / bin. Чтобы убедиться, что вы получили обновленную версию, поместите символическую ссылку в / usr / local / bin, чтобы указать на обновленный openssl, например так:
В качестве альтернативы этому последнему шагу некоторые люди заменяют openssl /usr/bin символической ссылкой на /usr/local/Cellar/openssl/1.0.1g/bin/openssl (или любой другой версией):
Но это, как известно, вызывает проблемы с некоторыми более поздними версиями OSX. Лучше просто вставить новую символическую ссылку в / usr / local / bin, которая должна иметь приоритет на вашем пути над / usr / bin.
Или для тех, кто использует порты Mac и не беспокоится о сохранении версии
Временно настройте права доступа, /usr/local чтобы brew мог обновить:
Установите обновленную версию OpenSSL (вы, вероятно, хотите 1.0.2i):
Вы можете / должны удалить существующую символическую ссылку на openssl из /usr/local/bin :
Перепишите правильную версию напитка:
Восстановить исходные разрешения на /usr/local/bin :
Тот, кто не хочет использовать brew или порты и просто хочет заменить установку OpenSSL 0.9.8 по умолчанию, всегда может отключить защиту целостности системы, перезагрузившись в режим восстановления (cmd + R) и выполнив команду
а затем скомпилировать openssl с
Он успешно заменил OpenSSL в ElCapitan для меня, и я смог без проблем скомпилировать httpd 2.4 для curl и apache напрямую из источников. Причиной этого метода, который некоторые могут счесть радикальным, является то, что ElCapitan больше не поддерживается Apple, и никаких обновлений не ожидается, так что, скорее всего, он не сломается. Во-вторых, это избавляет вас от указания на папку openssl в / usr / local для каждой программы, которую вы компилируете, что делает компиляцию более надежной.
Источник
Installing OpenSSL library on macOS Catalina
Yaşar Yücel Yeşilbağ
Sep 18, 2020 · 4 min read
Whether you are building apps for just macOS or for cross-platform, if your app is using OpenSSL for crypto-works, you will have to install OpenSSL library since macOS ships with LibreSSL. Furthermore, cross-platform cryptography in .Net Core and .Net 5 uses OpenSSL on macOS.
Installing OpenSSL library on macOS seems easy at first, but in practice can be a real pain in the back. Here is my journey of installing OpenSSL 1.1.1g on macOS Catalina (10.15.6) and making it reachable by my .Net Core apps. I tried to write complete and generalized instructions to be as applicable to more systems as possible. And I also avoided symbolic linking (ln -s) and install_name_tool, since for me those are last options.
Installing OpenSSL
First, open a terminal, and see if OpenSSL is already installed:
If it’s not installed, you’ll see “Not installed” among the first few lines of output. Or may be it’s not the latest version. So, install or update if necessary:
Check if the system sees the library directly:
This command prints the SSL library which exists first in the PATH environment variable, being LibreSSL or OpenSSL at some version. OpenSSL doesn’t need being here to be reachable. But if you want this for some reason, follow the instructions below, otherwise jump to the Making OpenSSL Reachable section.
Run the command “brew info openssl” again:
Since OpenSSL is keg-only [1], it has to be referred from an environment variable, which is done by the printed instruction, which is the echo ‘export… line in the red rectangle at above screenshot. It may be a bit different in your system, it’s because it depends on its version. Copy/paste/run that line, so that necessary command will be written to .profile file [2].
To see what is written to .profile file, if you wonder, run below command at home directory:
Manually run the .profile file to eliminate logoff & logon at this time:
Check if system sees it now:
It should now print the up-to-date OpenSSL.
Making OpenSSL Reachable
When an app wants to use a library, macOS searches several locations to find it. We have to find library path of OpenSSL and add it to DYLD_LIBRARY_PATH environment variable. For this purpose, run “brew info openssl” command again.
The path in the red rectangle at above screenshot is the path where OpenSSL is installed. To have the library path we’re looking for, just append /lib to it. We want this library path to be added to aforementioned environment variable at every user logon. And we’ll use below command for this, just replace the …/lib path with the one you have.
Manually run the .profile file [2] to eliminate logoff & logon at this time:
This should do the trick normally. But I’ve read that on some systems apps still cannot find OpenSSL library. So, try running your OpenSSL app. If the app gives an error like “No usable version of libssl was found. Abort trap: 6” or “PlatformNotSupportedException”, you may have to install or update libssh2. I didn’t need it but here it is:
Since libssh2 is not keg-only [1], it will be readily accessible without adding it to any environment variable.
That’s it! Now OpenSSL library should be reachable from any app. At least that’s the common hope 😊 This was not the funniest thing I did so far, but it was necessary. And I wrote it down here to be a reference for everyone.
I wish you installations funnier than this one 😁 Now I need some beer 🍺
Note [1]: For a software via brew to be “keg-only” means it is installed in /usr/local/Cellar but not linked into places like /usr/local/bin, /usr/local/lib. This means most tools will not find it.
Источник
Русские Блоги
Openssl от установки до обновления на Mac OS X
Откройте официальный сайт: https://www.openssl.org/source/
Затем вручную открыл терминал и набрал версию openssl.
Я действительно получил ответ OpenSSL 0.9.8zh 14 января 2016
Это означает, что уже есть openssl, поэтому вам не нужно его устанавливать .
Я только что увидел блог: обновление Mac10.11 для установки openssl и выполнения этого шаг за шагом.
Это более старая система Mac OS. После 10.11 Apple больше не использует openssl, а вместо этого использует libressl. См. другой пост в блоге https://blog.csdn.net/weixin_37569048 / статья / подробности / 82660045. Вот подробные инструкции!
Например, моя система является относительно новой и 10.13.4.
версия openssl для командной строки возвращает LibreSSL 2.2.7
Я нашел официальный сайт homebrew: https://brew.sh/index_zh-cn.html Расположение: менеджер отсутствующих пакетов для macOS (менеджер отсутствующих пакетов для macOS).
Вставьте эту команду в свой терминал и спросите вас, продолжить или прервать, конечно же продолжить (просто нажмите enter). Затем подождите, чтобы установить его. (Я долго ждал в середине, все еще был период притворной смерти, и около 10 минут не было индикатора выполнения, что связано со скоростью Интернета)
brew — версия проверена,
Хотя он был только что установлен, я невольно набрал команду brew update и не сообщил об ошибке, но выдал предупреждение: небезопасный доступный для записи мир dir / usr / local / bin в PATH, а затем он не двигался, немного погуглил в Google Получите: Как решить проблему Небезопасный доступный для записи мир dir / usr в PATH, режим 040777 Предупреждение на Ruby? Получите это, предупреждение исчезло, но оно все еще не перемещается .
Источник
My Cellar Door
While having an updated version of OpenSSL is always recommended, vulnerabilities such as The Heartbleed Bug reported 7th of April 2014 reminds us of it. Also, not counting on an updated version can cause some packages not to install (e.g., IO::Socket::SSL, necessary to run git send-email). In this post we go through the steps of updating OpenSSL in OSX, which as usual, entails a few more steps than in linux. I use Homebrew as a package manager.
1. The first thing to do is updating Homebrew and checking the installation:
Normally brew doctor gives a well detail feedback with broken dependencies and the commands to fix them. Follow the steps pointed out by brew doctor before continuing. Examples of broken dependencies include changing the ownership of sudo installations or updating xcode command line tools.
2. Now it is time to check (i) your current openssl version, and (ii) if there is a new version out there.
$ openssl version -a
$ brew install openssl
3. If a new version was installed, check that the symbolic links have been updating. For this check the version again.
$ openssl version -a
4. If there version corresponds with the one installed by brew, you are done. If the version is the same as before the installation, you need to update the symbolic links manually.
$ which openssl
//we use /usr/bin/openssl as the given output
//save the current binary, just in case
$ sudo mv /usr/bin/openssl
/
$ sudo ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/bin
$ openssl version -a
5. If everything went fine you can delete the old openssl binary.
OpenSSL is updated 🙂 As for today (9th April, 2014), after the report of The Heartbleed Bug, the newest version is OpenSSL 1.0.1g 7 Apr 2014.
A new version is available: OpenSSL 1.0.1h 5 Jun 2014 (release notes)
Источник
Question: Q: Updating OpenSSL on Mac System version 10.6.8?
Does anyone have successfully updated OpenSSL on Snow Leopard thru the Terminal could post the steps here?
The actual version of open SSL is OpenSSL 1.0.0e 6 Sep 2011
I am attempting to update to the openssl-1.0.1c
I was trying to do the installation on the terminal by
1. CD to the openssl-1.0.1c directory
[rootuser:/install/openssl-1.0.1c] root# /install/openssl-1.0.1c/config
After giving the System information, I have this and now I am in doubt if I should build 64-bit library or just continue with the darwin-i386-cc.
WARNING! If you wish to build 64-bit library, then you have to
invoke ‘./Configure darwin64-x86_64-cc’ *manually*.
You have about 5 seconds to press Ctrl-C to abort.
Configuring for darwin-i386-cc
Anyone that had done this before and gone to the same issue, could shine a light here. Many Thanks!
Message was edited by: Eduardo B1
MacBook Pro, Mac OS X (10.6.8), 4 GB — 2.6 GHz
Posted on Jun 19, 2012 1:42 PM
Helpful answers
If there were an update to OpenSSL you would have received it via software update. It is highly unlikely that you would be able to get the OpenSSL trunk running in Snow Leopard. Apple has customized logic in its version.
Jun 19, 2012 1:47 PM
Adding to the reason of this question was that I had to install webmin on Lion.
Did you replace /usr/sbin/named? I wouldn’t advise messing around with that stuff. No good will come of it.
Did apple wrote a tutorial for these changes anywhere?
All bets are off if you start hacking around on the OS executables. When you do that, it isn’t a question of why isn’t it working, it would be a question of why would it work.
Jun 22, 2012 5:19 AM
There’s more to the conversation
Loading page content
Page content loaded
If there were an update to OpenSSL you would have received it via software update. It is highly unlikely that you would be able to get the OpenSSL trunk running in Snow Leopard. Apple has customized logic in its version.
Jun 19, 2012 1:47 PM
Then I have to assume that the actual version of OpenSSL 1.0.0e 6 Sep 2011 must be ok!
Jun 19, 2012 2:24 PM
Adding to the reason of this question was that I had to install webmin on Lion. The installation went well and SSL is working just fine. I also update Bind to 9.0.1 without any problems. All my domains and configurations are up and running. I just had a problem with Apache. Reading the new httpd.conf, it seems that we had a change from the previous Snow Leopard htttpd.conf. Did apple wrote a tutorial for these changes anywhere? I had an instance where I tried to comment out the
#Virtual hosts Session
. and web sharing stop working. I am reading some posts in one of your posts and I was wondering if there is a fix for the bug. Thanks!
Jun 21, 2012 10:19 PM
Adding to the reason of this question was that I had to install webmin on Lion.
Did you replace /usr/sbin/named? I wouldn’t advise messing around with that stuff. No good will come of it.
Did apple wrote a tutorial for these changes anywhere?
All bets are off if you start hacking around on the OS executables. When you do that, it isn’t a question of why isn’t it working, it would be a question of why would it work.
Jun 22, 2012 5:19 AM
No I did not mess up with any of the original paths. Actually this is my main motto. Everything I am configuring, I am making sure it works in harmony with the apple internal standards. I transformed two mac client in Servers and took me a lots of reading and comparing notes plus hands on tests to make everything work fine and in harmony with web sharing and etc. I am serving 3 domains without any issues. In addition, I am testing php and Mysql but I still have a lot of reading and learning until I get to launch it into production. I could use the terminal alone to manage Bind, Apache, PHP and Mysql but webmin on SSL does such a great job that I decided to use a combination of these two. Right now I just finished configuring my Lion Client Server and everything is working just fine. I just have to research and learn a little more about the new way apple is setting up the httpd conf so I can run it accordng to the new rules. Thanks for the link, I will check it out for sure.
Thanks for the head up;
Jun 22, 2012 10:27 AM
While I am all for getting the most out of MacOS X, I really don’t recommend a do-it-yourself approach to public web servers. That is a full-time job. I would rather have other people take care of that for me.
Jun 22, 2012 1:13 PM
Question: Q: Updating OpenSSL on Mac System version 10.6.8? More Less
Источник
