Tuesday, May 20, 2014

Upgrade OpenSSL on Mac OSX


$ brew update
$ brew install openssl
$ brew link --force openssl


You may get a warning about needing to unlink, if so just do what brew tells you to do and followup with brew link --force openssl

Update links to openssl

If you are encountering error messages when attempting to install ruby via rbenv that mention openssl, then odds are one of the homebrew installs upgraded your openssl, but left your openssl symlink pointing it to an old version.

Rename your /usr/bin/openssl file, instead of deleting it, just in case.

$ ls -l /usr/bin/openssl
$ sudo mv /usr/bin/openssl /usr/bin/openssl_OLD
$ sudo ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/bin/openssl
$ mv /usr/local/bin/openssl /usr/local/bin/openssl_OLD
$ ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/local/bin/openssl


Verify OpenSSL Versions

Search for all openssl files (and links) on your system.

Verify that they all point to the most recent, correct, homebrew-installed version of openssl:

$ find / -name "openssl" \( -type f -o -type l \) -exec ls -l {} \; 2>/dev/null
lrwxr-xr-x  1 root  wheel  44 May 20 08:05 /usr/bin/openssl -> /usr/local/Cellar/openssl/1.0.1g/bin/openssl
lrwxr-xr-x  1 lex  admin  36 May 20 08:00 /usr/local/bin/openssl -> ../Cellar/openssl/1.0.1g/bin/openssl
-rw-r--r--  1 lex  admin  10588 Aug 31  2013 /usr/local/Cellar/bash-completion/1.3/etc/bash_completion.d/openssl
-r-xr-xr-x  1 lex  admin  508776 May 19 16:35 /usr/local/Cellar/openssl/1.0.1g/bin/openssl
lrwxr-xr-x  1 lex  admin  62 Aug 31  2013 /usr/local/etc/bash_completion.d/openssl -> ../../Cellar/bash-completion/1.3/etc/bash_completion.d/openssl
lrwxr-xr-x  1 lex  admin  40 May 20 08:00 /usr/local/include/openssl -> ../Cellar/openssl/1.0.1g/include/openssl
lrwxr-xr-x  1 lex  admin  27 May 20 08:00 /usr/local/Library/LinkedKegs/openssl -> ../../Cellar/openssl/1.0.1g
lrwxr-xr-x  1 lex  admin  24 May 20 08:00 /usr/local/opt/openssl -> ../Cellar/openssl/1.0.1g


Run the following and it should say, OpenSSL 1.0.1g 7 Apr 2014 or later.

$ openssl version
OpenSSL 1.0.1g 7 Apr 2014


Now, when you attempt to install ruby via rbenv, or any other brew that depends on openssl you should not get any more openssl-related errors.

Temporary Solution

When you run brew doctor you will likely get the following error.

That is expected, for now.

I expect that a not to distant upgrade to the openssl brew package will fix the original problem and hence deprecate these instructions.

$ brew doctor
Warning: Some keg-only formula are linked into the Cellar.
Linking a keg-only formula, such as gettext, into the cellar with
`brew link ` will cause other formulae to detect them during
the `./configure` step. This may cause problems when compiling those
other formulae.

Binaries provided by keg-only formulae may override system binaries
with other strange results.

You may wish to `brew unlink` these brews:

    openssl


mac ports

If you are using mac ports, it should be as easy as...

$ sudo port upgrade openssl


2 comments:

  1. “I expect that a not to distant upgrade to the openssl brew package will fix the original problem and hence deprecate these instructions.”

    What's more likely is that a not too distant Apple-supplied security update for OS X will patch the system's /usr/bin/openssl to not be heartbleed-vulnerable.  After which, brew's recommendation of running `brew unlink` is exactly the course of action to take.

    To say that Homebrew should remove the warning message is to ignore everything that has given Homebrew wide acceptance over MacPorts and Fink.  Homebrew is great because it doesn't f- up your other OS stuff— unless you really want it to.  Hence, the `brew doctor` message.

    ReplyDelete
  2. Correction: I guess OS X was never heartbleed-vulnerable (according to http://apple.stackexchange.com/questions/126916/what-versions-of-os-x-are-affected-by-heartbleed).

    My point still stands (as with the case of Shellshock bash) that OS X is built around apps that rely on OS-versions to update in tandem.  Updating an individual library at a system level theoretically shouldn't cause issues— but in the real world that seems not to be the case more often than desired.  Apple and Homebrew's approach is that it's best to stick with system-level libs when you can, and have your own installations outside of the reach of the system and day-to-day `.app`s.

    ReplyDelete