How to change openssl version in OSX 10.6.4

I’ve some troubles with old openssl, distributed with new security patch to 10.6.4 Snow Leopard. So I’ve decided to change/replace openssl, both system-wide and installed one by macports.

The troubles was caused by new change in openssl-0.9.8l

Disable renegotiation completely – this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you’re doing.

Important notes:

  • backup your system
  • do NOT try to compile & install anything else than darwin64_x86_64 – it may lead to unbootable system


  • download appropriate openssl source from website (eg. 1.0.0a)
  • unpack
  • and then:
  • get openssldir
$ openssl version -a
OpenSSL 1.0.0a 1 Jun 2010
built on: Fri Jul  2 14:21:01 CEST 2010
platform: darwin64-x86_64-cc
options:  bn(64,64) rc4(1x,char) des(idx,cisc,16,int) idea(int) blowfish(idx)
OPENSSLDIR: "/opt/local/etc/openssl"

so we get OPENSSLDIR, and use it as -openssldir for BOTH cases

$ cd openssl-1.0.0a
$ ./Configure darwin64-x86_64-cc --prefix=/usr --openssldir=/opt/local/etc/openssl shared
$ make
$ sudo make install

then you need to repeat for macports

$ port contents openssl | head -2 | tail -1
# we've got /opt/local, so set prefix to /opt/local
$ ./Configure darwin64-x86_64-cc --prefix=/opt/local --openssldir=/opt/local/etc/openssl shared
$ make
$ make install

then you could uninstall eg. curl and install again

$ sudo port uninstall curl
$ sudo port install curl +ssl

Leave a Reply

Your email address will not be published. Required fields are marked *

− 1 = 1