librelist archives

OpenSSL library and Homebrew

From:

Michael

Date:

2011-03-29 @ 18:02

I opened ticket 4938

https://github.com/mxcl/homebrew/issues/4938

In short the OpenSSL currently shipping with OS X is out of date.
System engineers, especially the network defender types logically
select the latest and greatest openssl when building subversion
server, and well that leaves you the dark when you ''brew install
subversion'' to build the client as it builds with the rev of OpenSSL
that Apple ships with.  The end result, your subversion client fails
to connect with a cipher error as it cannot make bi-directional
(two-way certificate auth-based) SSL connection.

The openssl formula is ''keg only'' and cannot build a ''--universal''
library even though it has the option to do so.

Recently the formula was patched to download and build the latest
openssl release, but will not build to x86_64 unless one runs

./Configure darwin64-x86_64-cc

as instructed to

{{{
WARNING! If you wish to build 64-bit library, then you have to

    invoke './Configure darwin64-x86_64-cc' *manually*.
    You have about 5 seconds to press Ctrl-C to abort.
}}}

prior to running config, but adjusting the formula results in a fail.

{{{
require 'formula'

class Openssl <Formula
 #url 'http://www.openssl.org/source/openssl-0.9.8o.tar.gz'
 #version '0.9.8o'
 #homepage 'http://www.openssl.org'
 #md5 '63ddc5116488985e820075e65fbe6aa4'

 url 'http://www.openssl.org/source/openssl-1.0.0d.tar.gz'
 version '1.0.0d'
 homepage 'http://www.openssl.org'
 md5 '40b6ea380cc8a5bf9734c2f8bf7e701e'

 #keg_only :provided_by_osx

 def options
   [["--universal", "Build a universal binary."]]
 end

 def install
   ENV.universal_binary if ARGV.include? "--universal"
   ENV.j1 # Breaks on Mac Pro

   system "./Configure darwin64-x86_64-cc"

   system "./config", "--prefix=#{prefix}",
                      "--openssldir=#{etc}",
                      "zlib-dynamic", "shared"
   system "make"
   system "make test"
   system "make install"
 end
end
}}}

Any ideas?

On 29 Mar 2011, at 19:02, Michael wrote:

> In short the OpenSSL currently shipping with OS X is out of date.

Please file an issue with Apple. It's not our job to maintain versions of 
libraries they already bundle.

> System engineers, especially the network defender types logically
> select the latest and greatest openssl when building subversion
> server, and well that leaves you the dark when you ''brew install
> subversion'' to build the client as it builds with the rev of OpenSSL
> that Apple ships with.  The end result, your subversion client fails
> to connect with a cipher error as it cannot make bi-directional
> (two-way certificate auth-based) SSL connection.

Then it will break with the version of Subversion shipped with OSX too I'd
imagine.

--
Mike McQuaid
http://mikemcquaid.com

On Tue, Mar 29, 2011 at 2:50 PM, Mike McQuaid <mike@mikemcquaid.com> wrote:
>
> On 29 Mar 2011, at 19:46, Michael Walsh wrote:
>
>> Oh, come on.  We both know that will not fix things.
>
> Why do you think that is? This isn't a rhetorical question, I'm 
genuinely interested as to why people seem to think it's necessary to 
constantly upgrade system libraries without testing applications against 
it without a security issue warranting it.

Apple will not respond as I've filed more or less the same bug report
in the past, and did so as an Apple developer.

OS X currently ships 0.9.8l 5 Nov 2009, and yes Safari, and Chrome are
both borked because this and will return the same cipher error with
client cert loaded, when attaching to the subversion repository I
earlier noted.  The latest 0.9.8 release is at revision-r, which is
some ways down the alphabet denoting many security and bug fixes.  As
I said, the subversion system administrator follows a network defender
mindset, and believes it is in the best interest of network to install
the most recent security and bugfix release, but this has left me
unable to connect.

I know my problem is with building and using subversion to this out of
date dylib whether I do it with the assistance of macports or without.

-Michael

On Tue, Mar 29, 2011 at 2:17 PM, Mike McQuaid <mike@mikemcquaid.com> wrote:
>
> On 29 Mar 2011, at 19:02, Michael wrote:
>
>> In short the OpenSSL currently shipping with OS X is out of date.
>
> Please file an issue with Apple. It's not our job to maintain versions 
of libraries they already bundle.
>

Oh, come on.  We both know that will not fix things.

>> System engineers, especially the network defender types logically
>> select the latest and greatest openssl when building subversion
>> server, and well that leaves you the dark when you ''brew install
>> subversion'' to build the client as it builds with the rev of OpenSSL
>> that Apple ships with.  The end result, your subversion client fails
>> to connect with a cipher error as it cannot make bi-directional
>> (two-way certificate auth-based) SSL connection.
>
> Then it will break with the version of Subversion shipped with OSX too 
I'd imagine.
>

I'd bet it wouldn't, but who cares when macbrew has a fornula for subversion.

Curious, that existence of formula would appear to be contradictory to
your first statement, no?

Bummer.

-Michael