Update OpenSSL on OS X with Homebrew

Question

I'm using MacOS X 10.7.5 and I need a newer OpenSSL version due to handshake failures. There are several tutorials on the internet and I tried the following:

brew install openssl
brew link openssl --force

Nevertheless, it does not work:

openssl version
OpenSSL 0.9.8r 8 Feb 2011

brew unlink openssl && brew link openssl --force
Unlinking /usr/local/Cellar/openssl/1.0.1e... 1139 links removed
Linking /usr/local/Cellar/openssl/1.0.1e... 1139 symlinks created

The SVN issue is not resolved either. Any ideas? I would rather not try the MacPorts way because it may interfere with Homebrew.

Be glad it didn't work. Version 0.9.8r didn't suffer from HeartBleed bug. If you successfully upgraded in March 2013, whatever SSL certificate you created is compromised and you have to rekey it now again. see heartbleed.com for affected versions. — Houman, Apr 10 '14 at 22:13
This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Apple Stack Exchange](http://apple.stackexchange.com/) would be a better place to ask. — jww, Mar 27 '15 at 01:17
@jww This is Stackoverflow and please let it be helpful. There will be some questions which will be in a shade of grey. I have stopped asking the question because of people who vote for closing a question without trying to understand the devs. — amar, Apr 14 '21 at 06:12

score 98 · Accepted Answer · answered Jun 21 '13 at 09:23

98

If you're using Homebrew /usr/local/bin should already be at the front of $PATH or at least come before /usr/bin. If you now run brew link --force openssl in your terminal window, open a new one and run which openssl in it. It should now show openssl under /usr/local/bin.

answered Jun 21 '13 at 09:23

Olaf Heinemann

1,028
8
2

1

Thanks, that worked. I reference this doc on how to add to $PATH: http://hathaway.cc/2008/06/how-to-edit-your-path-environment-variables-on-mac-os-x/ – netwire Jun 30 '13 at 16:59
Thanks! Killed couple of hours on this issue. – Yavor Ivanov Jul 29 '13 at 19:04
1

In my case I put this on my ~/.profile PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/local/bin:/opt/local/sbin:/opt/X11/bin:/usr/local/MacGPG2/bin:/usr/bin:/bin:/usr/sbin – Felipe Mar 21 '14 at 08:41
2

I have installed `1.0.2h_1`, but I am exactly on the same situation, but `openssl version -a` still gives me `OpenSSL 0.9.8zg 14 July 2015`. Any suggestions? – Peyman Mohamadpour Jun 03 '16 at 10:05
Exactly same thing happened to me. It's fixec by @Marc Smith answer – biplob Jul 06 '16 at 07:40
86

This one doesn't work because `brew link --force openssl Warning: Refusing to link: openssl Linking keg-only openssl means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib` – Timo Sep 15 '16 at 11:25
6

@TimoLehto Were you able to resolve this issue? Am facing same issue and cant seem to find a solution anywhere – Tuhina Singh Oct 03 '16 at 10:53
@TuhinaSingh Sorry no luck, other than "following the instructions" and not linking the system library, but instead linking on demand with flags whenever I need it for compile or just calling the brew version directly i.e. `/usr/local/Cellar/openssl/1.0.2h_1/bin/openssl` – Timo Oct 06 '16 at 12:51
3

@TimoLehto No idea if this is 'good practice' or even safe to do, but you could always create a link from /usr/local/bin to /usr/local/opt/openssl/bin/openssl. This can be done using the following command: `ln -s /usr/local/opt/openssl/bin/openssl /usr/local/bin/openssl`. To be clear: I can't promise you that this is a safe or correct way of proceeding. – brunodd Oct 19 '16 at 14:32
2

more info on this issue: http://stackoverflow.com/questions/38670295/homebrew-refusing-to-link-openssl – ekkis Mar 14 '17 at 21:33

score 15 · Answer 2 · answered Nov 12 '16 at 21:48

installed openssl on mac with brew but nothing found on /usr/local/bin where other brew installed bins are located. Found my fresh openssl here:

/usr/local/opt/openssl/bin/openssl

Run it like this:

/usr/local/opt/openssl/bin/openssl version

I don't want to update OS X openssl, while some OS stuff or other 3rd party apps may have dependency on older version.

I also don't mind longer path than just openssl

Writing this here for all the Googlers who are looking for location of openssl installed by brew.

score 14 · Answer 3 · answered Mar 26 '15 at 15:17

14

In a terminal, run:

export PATH=/usr/local/bin:$PATH
brew link --force openssl

You may have to unlink openssl first if you get a warning: brew unlink openssl

This ensures we're linking the correct openssl for this situation. (and doesn't mess with .profile)

Hat tip to @Olaf's answer and @Felipe's comment. Some people - such as myself - may have some pretty messed up PATH vars.

answered Mar 26 '15 at 15:17

Marc Smith

1,111
10
18

10

It just says `Refusing to link: openssl` – rogerdpack Sep 27 '17 at 15:53

GregT · Answer 4 · 2013-03-18T18:52:35.917

I had this issue and found that the installation of the newer openssl did actually work, but my PATH was setup incorrectly for it -- my $PATH had the ports path placed before my brew path so it always found the older version of openssl.

The fix for me was to put the path to brew (/usr/local/bin) at the front of my $PATH.

To find out where you're loading openssl from, run which openssl and note the output. It will be the location of the version your system is using when you run openssl. Its going to be somewhere other than the brewpath of "/usr/local/bin". Change your $PATH, close that terminal tab and open a new one, and run which openssl. You should see a different path now, probably under /usr/local/bin. Now run openssl version and you should see the new version you installed "OpenSSL 1.0.1e 11 Feb 2013".

score 5 · Answer 5 · edited Mar 21 '14 at 08:35

5

To answer your question regarding updating openssl I followed these steps to successfully update the version found on my Mac to the newest openssl version 1.0.1e.

I followed the steps found here: http://foodpicky.com/?p=99

When you reach the steps for terminal commands make and make install be sure to use sudo make and sudo make install (I had to go through the step-by-step twice because I did it without sudo and it did not update).

Hope this helps

edited Mar 21 '14 at 08:35

Felipe

16,649
11
68
92

answered Mar 05 '13 at 21:00

fresh

140
1
9

3

FYI as of today, 1.0.1e (specifically 1.0.1a-f) is known to have a serious security vulnerability. Future readers, make sure you upgrade to at least 1.0.1g http://heartbleed.com/ – SapphireSun Apr 08 '14 at 04:17
The old version is still showing for me: http://stackoverflow.com/questions/22974590/brew-link-force-openssl-did-not-update-openssl-version – quantumpotato Apr 09 '14 at 21:47
2

***Minus One***: *"... be sure to use sudo make..."* - You don't make with privileges. You just `make` and and then `sudo make install` if needed. You also cited a horrible reference. It replaces Apple's OpenSSL 0.9.8 in `/usr` with the updated 1.0.x. That's a really bad thing to do because there's no binary compatibility. – jww Apr 02 '16 at 17:54

score 3 · Answer 6 · answered Mar 09 '16 at 22:00

I had problems installing some Wordpress plugins on my local server running php56 on OSX10.11. They failed connection on the external API over SSL.

Installing openSSL didn't solved my problem. But then I figured out that CURL also needed to be reinstalled.

This solved my problem using Homebrew.

brew rm curl && brew install curl --with-openssl

brew uninstall php56 && brew install php56 --with-homebrew-curl --with-openssl

Robert Sinclair · Answer 7 · 2021-07-01T21:07:45.523

On mac OS X Yosemite, after installing it with brew it put it into

/usr/local/opt/openssl/bin/openssl

But kept getting an error "Linking keg-only openssl means you may end up linking against the insecure" when trying to link it

So I just linked it by supplying the full path like so

ln -s /usr/local/opt/openssl/bin/openssl /usr/local/bin/openssl

So now when I do

$ openssl version -a

It's showing version OpenSSL 1.0.2o.

So I guess it worked!

score 0 · Answer 8 · edited May 30 '21 at 16:35

0

Try:

mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew

Afterwards try:

brew install homebrew/portable-ruby/portable-openssl

edited May 30 '21 at 16:35

Paul Lemarchand

2,068
1
15
27

answered May 29 '21 at 07:36

Venkatesh Panchariya

191
2
2

score 0 · Answer 9 · answered Aug 30 '21 at 20:13

On OSX Big Sur, I had a very frustrating experience with the error, because all of the solutions lean on using brew install. But running brew install was always returning an error like:

Error: 
  homebrew-core is a shallow clone.
To `brew update`, first run:
  git -C /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core fetch --unshallow
This command may take a few minutes to run due to the large size of the repository.
This restriction has been made on GitHub's request because updating shallow
clones is an extremely expensive operation due to the tree layout and traffic of
Homebrew/homebrew-core and Homebrew/homebrew-cask. We don't do this for you
automatically to avoid repeatedly performing an expensive unshallow operation in
CI systems (which should instead be fixed to not use shallow clones). Sorry for
the inconvenience!

But I couldn't run that command because git was failing with:

% git -C /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core fetch --unshallow
dyld: Library not loaded: /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
  Referenced from: /usr/local/libexec/git-core/git-remote-https
  Reason: image not found

In the end, the solution was to reinstall git.

brew reinstall git

And then update symlinks, if necessary:

brew link --overwrite git

score 0 · Answer 10 · answered Dec 27 '22 at 18:04

For those, who are using macOS Monterey and are installing latest openssl v3 with brew, it's located in completely different path:

/opt/homebrew/Cellar/openssl@3/

A specific version is installed in the subfolder and the binary is reachable at (example for v.3.0.7):

/opt/homebrew/Cellar/openssl@3/3.0.7/bin/openssl

Using brew link --force openssl is still valid to create symlinks. Though it creates symlinks, the system openssl installed in /usr/bin/openssl has a preference because it's located earlier in the $PATH list. So the solution will be to set the local symlink:

ln -s /opt/homebrew/Cellar/openssl@3/3.0.7/bin/openssl /usr/local/bin/openssl

This preserves 2 version in different path but /usr/local/bin has the highest priority when searching in $PATH. The drawback is that you'll need to update a symlink once a new version updated with brew because each version is located in a separate subfolder now.

score -9 · Answer 11 · answered Oct 13 '16 at 13:05

-9

install port: https://guide.macports.org/
install or upgrade openssl package: sudo port install openssl or sudo port upgrade openssl
that's it, run openssl version to see the result.

answered Oct 13 '16 at 13:05

Morteza Sepehri Niya

408
6
13

3

The question was about Homebrew... macports is not homebrew... The OP states they prefer not to use mac ports. – Wade Williams Oct 17 '16 at 15:30
@WadeWilliams mac in new version dose not let you update `openssl` using `Homebrew`, I mean you can install or update it using `Homebrew` but you can not prioritize it. So, instead of updating it using `Homebrew` you can update it using `macports ` and prioritize it. – Morteza Sepehri Niya Oct 18 '16 at 09:00

Update OpenSSL on OS X with Homebrew

11 Answers11

Linked

Related