I’ve some troubles with old openssl, distributed with new security patch to 10.6.4 Snow Leopard. So I’ve decided to change/replace openssl, both system-wide and installed one by macports.
The troubles was caused by new change in openssl-0.9.8l
Disable renegotiation completely – this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you’re doing.
Important notes:
- backup your system
- do NOT try to compile & install anything else than darwin64_x86_64 – it may lead to unbootable system
steps:
- download appropriate openssl source from openssl.org website (eg. 1.0.0a)
- unpack
- and then:
- get openssldir
$ openssl version -a OpenSSL 1.0.0a 1 Jun 2010 built on: Fri Jul 2 14:21:01 CEST 2010 platform: darwin64-x86_64-cc options: bn(64,64) rc4(1x,char) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: cc -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM OPENSSLDIR: "/opt/local/etc/openssl"
so we get OPENSSLDIR, and use it as -openssldir for BOTH cases
$ cd openssl-1.0.0a $ ./Configure darwin64-x86_64-cc --prefix=/usr --openssldir=/opt/local/etc/openssl shared $ make $ sudo make install
then you need to repeat for macports
$ port contents openssl | head -2 | tail -1 /opt/local/bin/c_rehash # we've got /opt/local, so set prefix to /opt/local $ ./Configure darwin64-x86_64-cc --prefix=/opt/local --openssldir=/opt/local/etc/openssl shared $ make $ make install
then you could uninstall eg. curl and install again
$ sudo port uninstall curl $ sudo port install curl +ssl