Homebrew refusing to link OpenSSL

Question

I'm on: OSX 10.11.6, Homebrew version 0.9.9m OpenSSL 0.9.8zg 14 July 2015

I'm trying to play with with dotnetcore and by following their instructions,

I've upgraded/installed the latest version of openssl:

> brew install openssl
==> Downloading https://homebrew.bintray.com/bottles/openssl-1.0.2h_1.el_capitan.bottle.tar.gz
Already downloaded: /Users/administrator/Library/Caches/Homebrew/openssl-1.0.2h_1.el_capitan.bottle.tar.gz
==> Pouring openssl-1.0.2h_1.el_capitan.bottle.tar.gz
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl/certs

and run
  /usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local.

Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries

Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:

    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include

But when I try to link openssl I continue to run into this linking error:

> brew link --force openssl
Warning: Refusing to link: openssl
Linking keg-only OpenSSL means you may end up linking against the insecure,
deprecated system version while using the headers from the Homebrew version.
Instead, pass the full include/library paths to your compiler e.g.:
  -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib

The option to include compiler flags doesn't make sense to me, since I'm not compiling these libraries that I'm dependent on.

EDIT dotnetcore has updated their instructions:

brew update    
brew install openssl    
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/    
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/

For .NET Core you need a supported version of OpenSSL, which would be a 1.0.1 or 1.0.2 version. Since you're reporting a 0.9.8 version maybe you need to `brew upgrade openssl` first? — bartonjs, Jul 30 '16 at 05:32
I've already done that. I should have clarified, but I didn't add those steps to the question. But I've already done the `brew update` and `brew install openssl`. This is trying to install the supported version. — daviddeath, Jul 30 '16 at 05:59
Looks like Homebrew has explicitly blocked it: https://github.com/Homebrew/brew/commit/b999edb3448793529aea8b29c01b3851bbc3b3eb. — bartonjs, Jul 30 '16 at 06:10
Perhaps using a different HOMEBREW_PREFIX would work; but that's definitely beyond my experience. — bartonjs, Jul 30 '16 at 06:11
And.. to continue rounding out my rambling, you might be interested in whatever develops on https://github.com/Homebrew/brew/pull/597 — bartonjs, Jul 30 '16 at 06:28
*"... when I try to link openssl I continue to run into this linking error:.."* - Also see [How to set the runtime path (-rpath) of an executable with gcc under Mac OSX?](http://stackoverflow.com/q/4513799). It may help you always load the correct library at runtime, if Brew is not adding it. — jww, Jul 30 '16 at 11:53
@bartonjs - the linking worked with 1.0.1 version. As per the commit you posted, which was just a few days ago, my guess is that the older versions have a different HOMEBREW_PREFIX. I'm good for now, but in the future I'll try your suggestion of trying a different prefix. — daviddeath, Jul 30 '16 at 23:06
I tried most of the solutions on this page, and none worked. I was however able to get .Net core working with this solution: https://github.com/dotnet/cli/issues/3964#issuecomment-236485454 — Paul Keister, Aug 01 '16 at 05:09
@PaulKeister's link to the github discussion worked for me. Basically just run: `sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.0/System.Security.Cryptography.Native.dylib` — songololo, Aug 01 '16 at 10:20
The `rpath` solution is better. There’s a reason Homebrew now prevents you from linking OpenSSL; it *is* a bad idea and may break stuff on your computer. — bfontaine, Aug 13 '16 at 08:20
You should probably put your "dotnetcore has updated their install instructions" into an answer here to your own question :\ — rogerdpack, Sep 27 '17 at 15:53

rorykoehler · Answer 1 · 2017-02-20T08:32:55.393

71

This is what worked for me:

brew update
brew install openssl
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/
ln -s /usr/local/Cellar/openssl/1.0.2j/bin/openssl /usr/local/bin/openssl

Thanks to @dorlandode on this thread https://github.com/Homebrew/brew/pull/597

NB: I only used this as a temporary fix until I could spend time correctly installing Openssl again from scratch. As I remember I spent best part of a day debugging and having issues before I realised the best way was to manually install the certs I needed one by one. Please read the link in @bouke's comment before attempting this.

edited Feb 20 '17 at 08:32

answered Oct 19 '16 at 16:32

rorykoehler

1,642
2
15
20

9

is the full path for the last link `/usr/local/bin/openssl`? – Mohamed Hafez Oct 24 '16 at 19:33
Why this answer is not accepted, you saved my life man. ::thumb up:: – wukong Nov 22 '16 at 19:15
2

There's a good reason brew is refusing to do this. See also this: https://github.com/Homebrew/brew/pull/597. – Bouke Jan 24 '17 at 09:58
9

This solution worked for me, but I had to change `1.0.2j` to `1.0.2k` because of version differences. So users beware, you may need to adjust paths for the current version – Jeff Mar 27 '17 at 14:25
I saw @Jeff's comment a little too late. If you did too, I believe `ln -s -f /usr/local/Cellar/openssl/1.0.2k/bin/openssl /usr/local/bin/openssl` fixes it – shaneparsons Apr 13 '17 at 15:43
I'm using macOS Catalina 10.15.4 and this is the only solution that worked. – Neevai Apr 06 '20 at 13:50

score 63 · Accepted Answer · edited Dec 21 '16 at 16:31

63

As the update to the other answer suggests, the workaround of installing the old openssl101 brew will no longer work. For a right-now workaround, see this comment on dotnet/cli#3964.

The most relevant part of the issue copied here:

I looked into the other option that was suggested for setting the rpath on the library. I think the following is a better solution that will only effect this specific library.

sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.0/System.Security.Cryptography.Native.dylib

and/or if you have NETCore 1.0.1 installed perform the same command for 1.0.1 as well:

sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.1/System.Security.Cryptography.Native.dylib

In effect, rather than telling the operating system to always use the homebrew version of SSL and potentially causing something to break, we're telling dotnet how to find the correct library.

Also importantly, it looks like Microsoft are aware of the issue and and have both a) a somewhat immediate plan to mitigate as well as b) a long-term solution (probaby bundling OpenSSL with dotnet).

Another thing to note: /usr/local/opt/openssl/lib is where the brew is linked by default:

13:22 $ ls -l /usr/local/opt/openssl
lrwxr-xr-x  1 ben  admin  26 May 15 14:22 /usr/local/opt/openssl -> ../Cellar/openssl/1.0.2h_1

If for whatever reason you install the brew and link it in a different location, then that path is the one you should use as an rpath.

Once you've update the rpath of the System.Security.Cryptography.Native.dylib libray, you'll need to restart your interactive session (i.e., close your console and start another one).

edited Dec 21 '16 at 16:31

abraham

46,583
10
100
152

answered Aug 01 '16 at 18:50

Ben Collins

20,538
18
127
187

Where am I supposed to add that line? I'm trying to get this to work in CI. I'm getting a `/usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.0/System.Security.Cryptography.Native.dylib (No such file or directory)`. – mrahhal Aug 02 '16 at 12:20
@mrahhal that's the installation path of the `dotnet` tooling. Its possible that you either don't have it installed or you installed or to another location. If its installed and on your part, you could use `which dotnet` to find it. – Ben Collins Aug 02 '16 at 12:23
Oh, just realized I'm adding this line before installing `dotnet`. Will retry and come back. – mrahhal Aug 02 '16 at 12:24
3

Worked for me, in my case the sdk was installed to a different directory so I had to change the path. – mrahhal Aug 02 '16 at 13:16
4

With dotnet 1.1.0 I had to do: `sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.1.0/System.Security.Cryptography.Native.OpenSsl.dylib` – Bouke Jan 24 '17 at 09:58
What if `which dotnet` reveals I don't have it? – macloo Feb 12 '17 at 17:15
@macloo I've heard reports from acquaintances that the installer on macOS sometimes doesn't properly update the path, so you may have it on your file system but unable to use it normally. The other possibility is that you really don't have it, in which case you should install it from http://dot.net. – Ben Collins Feb 12 '17 at 18:27

score 52 · Answer 3 · edited Jun 20 '20 at 09:12

52

None of these solutions worked for me on OS X El Capitan 10.11.6. Probably because OS X has a native version of openssl that it believes is superior, and as such, does not like tampering.

So, I took the high road and started fresh...

Manually install and symlink

cd /usr/local/src

If you're getting "No such file or directory", make it:

cd /usr/local && mkdir src && cd src

Download openssl:

curl --remote-name https://www.openssl.org/source/openssl-1.0.2h.tar.gz

Extract and cd in:

tar -xzvf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h

Compile and install:

./configure darwin64-x86_64-cc --prefix=/usr/local/openssl-1.0.2h shared
make depend
make
make install

Now symlink OS X's openssl to your new and updated openssl:

ln -s /usr/local/openssl-1.0.2h/bin/openssl /usr/local/bin/openssl

Close terminal, open a new session, and verify OS X is using your new openssl:

openssl version -a

edited Jun 20 '20 at 09:12

Community

1
1

answered Aug 02 '16 at 00:58

mcgwier

655
4
3

If you're trying to install .NET core on OS X you should wrap it in Docker. – mcgwier Aug 02 '16 at 01:06
6

After doing all this: OpenSSL 0.9.8zh 14 Jan 2016 built on: May 15 2016 platform: darwin64-x86_64-llvm – AsimRazaKhan Sep 09 '16 at 15:13
5

Creating a symlink in the following way worked for me: `ln -s /usr/local/openssl-1.0.2h/bin/openssl /usr/local/bin/openssl`. After restarting your Terminal session, type `which openssl` to make sure you are using the updated 1.0.2 version (`/usr/local/bin/openssl`) instead of the built-in one (`/usr/bin/openssl`). – Olivier Dec 19 '16 at 12:47
1

I followed these instructions but when I type in which openssl, I get (/opt/local/bin/openssl). How do I get it to be /usr/local/bin/openssl? – Chris Dec 22 '16 at 20:58
2

I followed these instructions (thank you so much for the step-by-step), and it still said 0.9.8. Thank you to Olivier for the alternate linking method that worked. – Onikoroshi Jan 12 '17 at 03:55
this one saved me – dmerlea Jan 28 '17 at 17:23
Still doesn't work: a new version of OpenSSL is installed. But- it is not used by apps such as Composer. $ openssl version -a OpenSSL 1.0.2o 27 Mar 2018 However output from Composer diagnose says otherwise. $ composer diagnose Checking composer.json: WARNING No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license. Checking platform settings: WARNING The OpenSSL library (0.9.8r) used by PHP does not support TLSv1.2 or TLSv1.1. If possible you should upgrade OpenSSL to version 1.0.1 or above. – sea26.2 Jun 01 '18 at 15:47
how do I uninstall something installed like this?? – cegprakash Dec 10 '21 at 08:10

score 51 · Answer 4 · answered Feb 22 '17 at 07:50

51

Just execute brew info openssland read the information where it says:

If you need to have this software first in your PATH run: echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile

answered Feb 22 '17 at 07:50

Alex Maiburg

690
5
10

3

`brew info openssl` gave the same helpful information for me. Running the suggested command above and then running `source ~/.bash_profile` or opening a new terminal solved it for me. – PanPipes Feb 23 '17 at 10:19
2

FINALLY. This also worked for me. The other answers above did not! – user124384 Apr 23 '17 at 01:01
3

or `echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.zshrc` – B.Ma Sep 30 '17 at 09:10
This did not work. I'm getting the same message again. – not2savvy Apr 20 '23 at 15:04

tobybot · Answer 5 · 2021-09-01T18:35:22.697

22

If migrating your mac breaks homebrew:

I migrated my mac, and it unlinked all my homebrew installs - including OpenSSL. This broke gem install, which is how I first noticed the problem and started trying to repair this.

After a million solutions (when migrating to OSX Sierra - 10.12.5), the solution ended up being comically simple:

brew reinstall ruby
brew reinstall openssl

Edit much later: as Gal Bracha noted in the comments, you ?might? need to delete /usr/local/opt/openssl before doing the reinstalls, just to be safe. I didn't need to at the time, but if you're still having trouble, give that a try.

edited Sep 01 '21 at 18:35

answered Jul 26 '17 at 20:56

tobybot

516
5
15

And a year later, this happened to me migrating my Mac, and your fix worked for me as well. Thanks so much; I was getting to the point of considering wiping my new Mac and doing a fresh install and setting everything up again manually. – David Jun 28 '18 at 12:25
@David glad I could keep you from going over the brink! I almost did the same. – tobybot Jun 28 '18 at 14:54
1

You might also need to delete this folder before doing the above. `rm -rf /usr/local/opt/openssl` – Gal Bracha Sep 19 '18 at 10:33
1

I would kiss you if you were next to me. This is what worked for me after 3 hrs of struggle. – Tarun Aug 17 '21 at 15:11

score 10 · Answer 6 · answered Jun 13 '17 at 10:08

10

The solution above from edwardthesecond worked for me too on Sierra

 brew install openssl
 cd /usr/local/include 
 ln -s ../opt/openssl/include/openssl 
 ./configure && make

Other steps I did before were:

installing openssl via brew
```
brew install openssl
```

adding openssl to the path as suggested by homebrew

brew info openssl
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile

answered Jun 13 '17 at 10:08

Lili

101
1
3

1

Worked nice for me, just skipped la part './configure && make' – David Ansermot Jun 08 '18 at 06:21

score 9 · Answer 7 · answered Oct 04 '16 at 11:03

9

After trying everything I could find and nothing worked, I just tried this:

touch ~/.bash_profile; open ~/.bash_profile

Inside the file added this line.

export PATH="$PATH:/usr/local/Cellar/openssl/1.0.2j/bin/openssl"

now it works :)

Jorns-iMac:~ jorn$ openssl version -a
OpenSSL 1.0.2j  26 Sep 2016
built on: reproducible build, date unspecified
//blah blah
OPENSSLDIR: "/usr/local/etc/openssl"

Jorns-iMac:~ jorn$ which openssl
/usr/local/opt/openssl/bin/openssl

answered Oct 04 '16 at 11:03

Jorn

457
7
11

1

This is a really simple solution and I was pretty hopeful that it would work for me but no luck here. Even after updating my PATH and restarting my shell session `which openssl` still points to `/usr/bin/openssl` – Will Hitchcock Nov 19 '16 at 23:48
In order to get this working I had to edit my .bash_profile as well. But the only thing that worked was telling it to look in /usr/local/bin instead of /usr/bin. I did this by adding `export PATH=/usr/local/bin:$PATH` – Big Tree Energy Dec 21 '16 at 16:40
4

For this to work, you need to add `/usr/local/opt/openssl/bin`, *without* the `/openssl` on the end, to the *front* of the PATH, not the end: `PATH=/usr/local/opt/openssl/bin:$PATH` Using `/usr/local/opt/openssl` instead of `/usr/local/Cellar/openssl/$version` means you'll automatically keep the most up-to-date version in your $PATH without having to change it every time you upgrade. – Mark Reed Oct 16 '17 at 14:36
1

After hours of dumbness this did the trick for me along with @MarkReed's additional notes – Naomi See Feb 25 '18 at 04:57
1

I was able to use this and get it working for me. Thank you. I have 1.0.2q version of openssl. – Karthik N G Feb 15 '19 at 22:46

score 8 · Answer 8 · edited Dec 24 '16 at 13:18

8

I have a similar case. I need to install openssl via brew and then use pip to install mitmproxy. I get the same complaint from brew link --force. Following is the solution I reached: (without force link by brew)

LDFLAGS=-L/usr/local/opt/openssl/lib 
CPPFLAGS=-I/usr/local/opt/openssl/include
PKG_CONFIG_PATH=/usr/local/opt/openssl/lib/pkgconfig 
pip install mitmproxy

This does not address the question straightforwardly. I leave the one-liner in case anyone uses pip and requires the openssl lib.

Note: the /usr/local/opt/openssl/lib paths are obtained by brew info openssl

edited Dec 24 '16 at 13:18

sepehr

17,110
7
81
119

answered Oct 22 '16 at 15:22

Pili Hu

151
3
10

Found this one useful for installing pysqlcipher – drtf Dec 05 '16 at 12:05
Useful for installing `cryptography`. I was missing the `PKG_CONFIG_PATH` variable – Sagar Dec 15 '16 at 22:38

score 8 · Answer 9 · answered Feb 23 '17 at 05:30

8

This worked for me:

 brew install openssl
 cd /usr/local/include 
 ln -s ../opt/openssl/include/openssl .

answered Feb 23 '17 at 05:30

edwardthesecond

89
1
1

This worked for me, trying to compile PHP 7.2.1 with phpbrew on Mac OS High Sierra - Thanks! – Bruno de Oliveira Jan 10 '18 at 01:10

score 4 · Answer 10 · answered Jun 17 '20 at 05:43

By default, homebrew gave me OpenSSL version 1.1 and I was looking for version 1.0 instead. This worked for me.

To install version 1.0:

brew install https://github.com/tebelorg/Tump/releases/download/v1.0.0/openssl.rb

Then I tried to symlink my way through it but it gave me the following error:

ln -s /usr/local/Cellar/openssl/1.0.2t/include/openssl /usr/bin/openssl
ln: /usr/bin/openssl: Operation not permitted

Finally linked openssl to point to 1.0 version using brew switch command:

brew switch openssl 1.0.2t
Cleaning /usr/local/Cellar/openssl/1.0.2t
Opt link created for /usr/local/Cellar/openssl/1.0.2t

Calling Non-checksummed download of openssl formula file from an arbitrary URL is disabled! — AlxVallejo, Oct 08 '20 at 19:45

gsumk · Answer 11 · 2019-11-27T19:26:21.360

I had the same problem while trying to install newer version of ruby 2.6.5 https://github.com/kelaberetiv/TagUI/issues/86 helps me to solve the problem. This if for macOS catalina Version 10.15.1

Basically, I did update and upgrade homebrew and install openssl and install ruby.

brew update && brew upgrade
brew install openssl

Then create these 2 symlinks

ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/

then installed ruby 2.6.5

score 1 · Answer 12 · edited Aug 01 '16 at 03:21

1

Note: this no longer works due to https://github.com/Homebrew/brew/pull/612

I had the same problem today. I uninstalled (unbrewed??) openssl 1.0.2 and installed 1.0.1 also with homebrew. Dotnet new/restore/run then worked fine.

Install openssl 101:
brew install homebrew/versions/openssl101
Linking:
brew link --force homebrew/versions/openssl101

edited Aug 01 '16 at 03:21

Joshka

766
7
16

answered Jul 30 '16 at 14:02

Gustav

129
4

2

This did it! Seems that 1.0.2 didn't want to link. Next question is why does .netcore suggest something that is not recommended in the community. – daviddeath Jul 30 '16 at 16:42
1.0.2 worked for me on another mac a few days ago, so maybe there is a recent brew or openssl change. Anyway, for dot net core, we are good :) – Gustav Jul 30 '16 at 18:55
1

The github link posted by @bartonjs shows that brew was updated just a few days ago. Looking at the commit, the change is ` if HOMEBREW_PREFIX.to_s == "/usr/local" && keg.name == "openssl"` so I'm guessing that the 1.0.1 version uses a different HOMEBREW_PREFIX. – daviddeath Jul 30 '16 at 23:03
11

didn't work for me, still gives error `Refusing to link: openssl101 Linking keg-only openssl101 means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl101. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl101/include -L/usr/local/opt/openssl101/lib` – dark_ruby Jul 31 '16 at 20:10
6

This answer is no longer correct given the change made by homebrew devs at https://github.com/Homebrew/brew/pull/612 – Joshka Aug 01 '16 at 02:36
This is awful... don't do this but... vi /usr/local/Library/Homebrew/cmd/link.rb (line 28) `if false &&`. Then `brew install --force openssl`. Don't do this, I'm likely a terrible person for even suggesting it. – Gerry Aug 01 '16 at 06:04

score 1 · Answer 13 · answered Jul 12 '18 at 08:14

1

for me this is what worked...

I edited the ./bash_profile and added below command

export PATH="/usr/local/opt/openssl/bin:$PATH"

answered Jul 12 '18 at 08:14

developer

401
1
4
15

score 1 · Answer 14 · answered May 16 '20 at 02:51

1

export https_proxy=http://127.0.0.1:1087 http_proxy=http://127.0.0.1:1087 all_proxy=socks5://127.0.0.1:1080

works for me

and I think it can solve all the problems like Failed to connect to raw.githubusercontent.com port 443: Connection refused

answered May 16 '20 at 02:51

John Jim

111
1
2

score 1 · Answer 15 · answered Nov 03 '20 at 14:19

The solution might be updating some tools.

Here's my scenario from 2020 with Ruby and Python:

I needed to install Python 3 on Mac and things escalated. In the end, updating homebrew, node and python lead to the problem with openssl. I did not have openssl 1.0 anymore, so I couldn't "brew switch" to it.
So what was still trying to use that old 1.0 version?

It tuned out it was Ruby 2.5.5.
So I just installed Ruby 2.5.8 and removed the old one.

Other things you can try if this is not enough: Use rbenv and pyenv. Clean up gems and formulas. Update homebrew, node, yarn. Upgrade bundler. Make sure your .bash_profile (or equivalent) is set up according to each tool's instructions. Reopen the terminal.

Homebrew refusing to link OpenSSL

15 Answers15

Manually install and symlink

If migrating your mac breaks homebrew:

Linked

Related