Use OpenSSL from macports instead of OpenSSL from OSX

I am using Server app 3 with OSX 10.9.5, that came with Openssl 0.9.8zg, and since this version dont allow TLS 1.2, i decided to do an upgrade to OpenSSL 1.0.2j.

Since this OpenSSL came by default, i cannot just simply upgrade it, so i used macports to install a newer version, to see if i could use it instead of the other version.

After i made the installation i notice that i was only able to use the newer version in non-root user (through command line), if i login to root i continue to use the older version.

So i add the location of macports at 'paths' file, and then i was able to use openssl also in root.

But now i dont know for sure if my Server App (aka system) is using the right OpenSSL or not.

Right now i have not change any certificate, i am using the default one that came in the older version. I never have used openssl before and i am still trying to understand how it works.

If i try to use openssl in root or in a non-root user, in my server i get this output with an error:

remote:~ root# openssl s_client -connect remote.X.pt:443 -tls1_2
CONNECTED(00000003)
140735302370144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1480421165
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Where it seems that TLS 1.2 is supported, but if i try with an outside service such as SSLlabs, i got this:

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3   No
SSL 2   No

So my question is if my system continues to use the older version libraries, or if there is anything in the certificate that says that this server just allow TLS 1.0? If it continues to use the older version libraries how can i point to new version libraries?

UPDATE1:

Just confirm in phpinfo that i am still using the older version. So my question is how can i replace openssl with the new version in macports?

Best Answer

Server.app comes with precompiled binaries that link against Apple's OpenSSL in /usr/lib. While you can set $PATH to change which programs you execute on the command line, $PATH does not affect libraries linked by software.

This leads to a couple of thoughts:

You'd have to recompile Server.app against the MacPorts OpenSSL. Since you don't have the exact source code for Server.app, that's not an option.
You could compile your own server against MacPorts' OpenSSL. MacPorts ships most open source webservers, but you'll have to configure them yourself.
If two libraries are binary-compatible, you can set a special environment variable to tell the macOS loader to ignore the absolute path where it expects the library and search a different path first. Unfortunately in the case of OpenSSL 0.9.8 vs 1.0.0, the libraries are not binary-compatible (/usr/lib/libssl.0.9.8.dylib vs. /opt/local/lib/libssl.1.0.0.dylib), so that's not an option here.

As a consequence, I don't see a way to make Server.app 3 use TLS 1.2, unfortunately.

Best Answer

Related Solutions

Ubuntu – Compile apache 2.2.23 on Ubuntu 12.04.1 LTS with openssl error

Nginx and openSSL conf to use newest TLS protocols

Related Topic