OpenSSL – How to Upgrade in macOS for Enhanced Security

opensslSecuritysoftware-update

Today the heartbleed OpenSSL exploit was announced in the wild, which allows an attacker to surreptitiously detect and steal private server keys (allowing them to MitM and decrypt your encrypted data and steal passwords). This affects OpenSSL versions including 1.0.1f which is the version on my up-to-date Mavericks computer Mac (because I used port/brew to install other software which updated my openssl without me realizing it):

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

This demonstrates I am not using the Mavericks version of OpenSSL:

$ which openssl
/opt/local/bin/openssl

OpenSSL released a fix today in 1.0.1g and I wonder how I can get this fixed version installed over my current version?

Best Answer

For what it's worth, I just used homebrew (http://brew.sh/):

brew update  
brew install openssl  
brew link --force openssl 
openssl version -a

If one of the bad versions come up (1.0.1a-f), you can figure out which version of openssl you're using, this way:

which openssl

Often this is from /usr/bin. To make sure you get the updated version, drop a symlink into /usr/local/bin to point to the updated openssl, like this: 

ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/local/bin/openssl

As an alternative to that final step, some people replace the openssl in /usr/bin with a symlink to /usr/local/Cellar/openssl/1.0.1g/bin/openssl (or whatever your version is): 

mv /usr/bin/openssl /usr/bin/openssl_OLD  
ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/bin/openssl

But this is known to cause problems with some more recent versions of OSX. Better to just insert a new symlink into /usr/local/bin, which should take precedence on your path over /usr/bin.

Related Question