136

Today the heartbleed OpenSSL exploit was announced in the wild, which allows an attacker to surreptitiously detect and steal private server keys (allowing them to MitM and decrypt your encrypted data and steal passwords). This affects OpenSSL versions including 1.0.1f which is the version on my up-to-date Mavericks computer Mac (because I used port/brew to install other software which updated my openssl without me realizing it):

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

This demonstrates I am not using the Mavericks version of OpenSSL:

$ which openssl
/opt/local/bin/openssl

OpenSSL released a fix today in 1.0.1g and I wonder how I can get this fixed version installed over my current version?

bmike
  • 235,889
dr jimbob
  • 1,463
  • 17
    You are not using the version that came with OS X Mavericks -- that's 0.9.8y, which does not have the heartbleed bug (it was introduced in 1.0.1). Your best update path will depend on where and how you installed the newer version. which openssl might be informative. Also, the major problem isn't the openssl command, it's the openssl libraries (which are used by other programs) -- those aren't API compatible between versions 0.9.x and 1.0.x, so you do not want to update the system-supplied openssl libraries! – Gordon Davisson Apr 08 '14 at 05:13
  • @GordonDavisson - You are totally right. I was mistaken. I had apparently installed MacPort at some point on this machine which upgraded my openssl. (Probably when I was trying to get python2.7 working). Probably should delete this question, but won't in case others make the same mistake find SapphireSun's great answer useful). – dr jimbob Apr 08 '14 at 05:31
  • With that clarifying update, I'd leave it. There are probably other people in the same boat, and having this here should give them an idea what needs to be done. – Gordon Davisson Apr 08 '14 at 05:38
  • 2
    If you install OpenSSL with brew it will not link the binaries to /usr/bin. Therefore it will not be run if you issue an openssl on command line. – bot47 Apr 09 '14 at 21:16
  • @MaxRied how do you run the version that homebrew installed? I installed new openssl by instructions in accepted answer, and openssl version returns 1.0.1g, but you're saying openssl commands aren't using that version? – inorganik Apr 23 '14 at 17:15
  • When you install openssl with brew, it'll tell you, that it won't link it, as they fear this would break some OS X internals. – bot47 Apr 23 '14 at 17:41
  • → Gordon: you should upgrade your comment to an answer. Too many confusions between 2 commands, and 2 set of libraries in use. – dan Jul 06 '14 at 15:35

4 Answers4

158

For what it's worth, I just used homebrew (http://brew.sh/):

brew update  
brew install openssl  
brew link --force openssl 
openssl version -a

If one of the bad versions come up (1.0.1a-f), you can figure out which version of openssl you're using, this way:

which openssl

Often this is from /usr/bin. To make sure you get the updated version, drop a symlink into /usr/local/bin to point to the updated openssl, like this: 

ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/local/bin/openssl

As an alternative to that final step, some people replace the openssl in /usr/bin with a symlink to /usr/local/Cellar/openssl/1.0.1g/bin/openssl (or whatever your version is): 

mv /usr/bin/openssl /usr/bin/openssl_OLD  
ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/bin/openssl

But this is known to cause problems with some more recent versions of OSX. Better to just insert a new symlink into /usr/local/bin, which should take precedence on your path over /usr/bin.

Giacomo1968
  • 5,623
SapphireSun
  • 1,712
  • 9
    Don't delete the original—just rename it. If you find the Homebrew-built version doesn't work for some purpose, there's no reason to put yourself up a creek without a (working) paddle. – Terry N Apr 08 '14 at 04:52
  • 1
    Fair enough, but on the other hand, I wouldn't call that version working... – SapphireSun Apr 08 '14 at 04:59
  • 1
    Even with the vulnerability, it's still useful to you in any situation in which you're willing to take the calculated risk in order to get app X (that depends on it) to work briefly. Or, if you prefer... "working" in the sense that a broken paddle can still push water. :-p – Terry N Apr 08 '14 at 05:48
  • 8
    Just a note - after performing these steps, typing "openssl" in the terminal window failed with a "no such file or directory" error pointing to the old copy (but it did work in a new terminal window). To fix the terminal window I was working in, I needed to do a: hash -r – Mike Hedman Apr 11 '14 at 21:28
  • On OS X 10.9.5, I got openssl binary with homebrew, but had to manually create the symlink (the end of the answer). – Nikolay Tsenkov Oct 01 '14 at 09:47
  • After trying this 10 different ways, this got my OpenSSL back in working order after an upgrade. – snowYetis Oct 17 '15 at 05:06
  • If I can mention another command people may find useful here… php -r "print_r(openssl_get_cert_locations());" will tell you where openssl is looking for certificates. I had a "composer update" that was failing with "ssl3_get_server_certificate:certificate verify failed" and it turned out as well as updating the Mozilla ca bundle, I needed to add a openssl.cafile=/usr/local/etc/openssl/cert.pem line to my php.ini file so it knew where to look for it. – William Turrell Feb 07 '16 at 00:20
  • 7
    Better than creating a symlink at /usr/bin/openssl, one can create the link at /usr/local/bin/openssl. That should precede /usr/bin on your $PATH and bypass any problems arising from "System Integrity Protection" in newer versions of OS X. – mrKelley Apr 05 '16 at 20:45
  • @SapphireSun for me openssl doesn't update. Can you please have a look http://pastebin.com/gZv4zcYj – Mona Jalal Aug 04 '16 at 21:08
  • If there's no permission for rename /usr/bin/openssl file, disable csrutil. Reboot your mac and press cmd+r when booting up. Then go into utilities > terminal and type the following commands: csrutil disable reboot After you can rename /usr/bin/openssl. Type this command as @SapphireSun's answer. ln -s /usr/local/Cellar/openssl/<OpenSsl_version_number>/bin/openssl /usr/bin/openssl and check your openssl version. – Abduhafiz Aug 31 '16 at 15:25
  • @SapphireSun brew link openssl --force links the binaries to /usr/local/bin which rules out the need to manually link these binaries. However, brew throws a warning which cannot be ignored. – Ram on Rails Sep 09 '16 at 07:32
  • ln -s /usr/local/opt/openssl/bin/openssl /usr/local/bin/ will dynamically connect to whatever version is installed by homebrew (or updated later). homebrew sumbolic links it /usr/local/opt/openssl -> ../Cellar/openssl/1.0.2h_1 – Ram on Rails Sep 09 '16 at 11:38
  • After set the symlink path need to restart the terminal. – damithH Oct 13 '16 at 09:22
  • 1
    I would avoid maintaining symlinks if --force fails and simple follow the instructions given when you run brew info openssl These state updating your $PATH to include openssl bin first. See http://stackoverflow.com/a/42385568/3985886 for more information. – PanPipes Feb 23 '17 at 10:29
  • I found this Medium post helpful. Look for the text "[UPDATE] 2016/12/11" and follow step 3. I copy and pasted the commands listed and it worked.

    I've also added export PATH="/usr/local/opt/openssl/bin:$PATH" to my .bash_profile

    https://medium.com/@katopz/how-to-upgrade-openssl-8d005554401

     – JustinDanielson Aug 23 '17 at 19:18
  • If you are using brew then, just use brew upgrade openssl to upgrade openssl – Sukhjinder Singh Aug 24 '17 at 08:49
14

Or for those who are using mac ports, and are not worried about keeping the version

sudo port upgrade openssl

simples :-)

mammix2
  • 139
  • 3
    sudo port upgrade outdated also works. – dr jimbob Apr 08 '14 at 16:51
  • 1
    That's funny, having both macports and brew both install openssl on my machine was actually the cause of this happening to me. Running sudo port -f uninstall openssl @<old-version> did the trick for me :) – yair Mar 14 '16 at 22:51
  • @yair having both macports and homebrew will cause many problems – mmmmmm May 26 '16 at 10:45
6

For resolving OCSP Status Request extension unbounded memory growth (CVE-2016-6304) on macOS Sierra using brew with System Integrity Protection enabled:

  1. Temporarily adjust permissions on /usr/local so brew can update:

    sudo chgrp -R admin /usr/local
sudo chmod -R g+w /usr/local

  2. Install the updated version of OpenSSL (you probably want 1.0.2i):

    brew install openssl

  3. You may want/need to delete an existing symlink to openssl from /usr/local/bin:

    rm /usr/local/bin/openssl

  4. Re-link the proper brew version:

    sudo ln -s /usr/local/Cellar/openssl/1.0.2i/bin/openssl /usr/local/bin/openssl

  5. Restore original permissions on /usr/local/bin:

    sudo chown root:wheel /usr/local
brandonscript
  • 383
  • 1
  • 4
  • 15
3

Whoever doesn't want to use brew or ports and just wants to replace the default OpenSSL 0.9.8 installation can always disable system integrity protection by rebooting into recovery mode (cmd+R) and issuing

csrutil disable

and afterwards compile openssl with

./config --prefix=/usr
make install

It successfully replaced OpenSSL in ElCapitan for me and I was able to compile curl and apache's httpd 2.4 without any issue directly from sources. The reasoning behind the method some might consider drastic is that ElCapitan is no longer maintained by Apple and no updates are forthcoming so it likely won't break. Secondly, it saves you from pointing to openssl folder in /usr/local for every program you compile making compilation more robust.

Захар Joe
  • 208