I am using Server app 3 with OSX 10.9.5, that came with Openssl 0.9.8zg, and since this version dont allow TLS 1.2, i decided to do an upgrade to OpenSSL 1.0.2j.
Since this OpenSSL came by default, i cannot just simply upgrade it, so i used macports to install a newer version, to see if i could use it instead of the other version.
After i made the installation i notice that i was only able to use the newer version in non-root user (through command line), if i login to root i continue to use the older version.
So i add the location of macports at 'paths' file, and then i was able to use openssl also in root.
But now i dont know for sure if my Server App (aka system) is using the right OpenSSL or not.
Right now i have not change any certificate, i am using the default one that came in the older version. I never have used openssl before and i am still trying to understand how it works.
If i try to use openssl in root or in a non-root user, in my server i get this output with an error:
remote:~ root# openssl s_client -connect remote.X.pt:443 -tls1_2
CONNECTED(00000003)
140735302370144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480421165
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Where it seems that TLS 1.2 is supported, but if i try with an outside service such as SSLlabs, i got this:
Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No
SSL 2 No
So my question is if my system continues to use the older version libraries, or if there is anything in the certificate that says that this server just allow TLS 1.0? If it continues to use the older version libraries how can i point to new version libraries?
UPDATE1:
Just confirm in phpinfo that i am still using the older version. So my question is how can i replace openssl with the new version in macports?
Best Answer
Server.app comes with precompiled binaries that link against Apple's OpenSSL in
/usr/lib
. While you can set$PATH
to change which programs you execute on the command line,$PATH
does not affect libraries linked by software.This leads to a couple of thoughts:
/usr/lib/libssl.0.9.8.dylib
vs./opt/local/lib/libssl.1.0.0.dylib
), so that's not an option here.As a consequence, I don't see a way to make Server.app 3 use TLS 1.2, unfortunately.