A mess of xxxSSLs

Rerouted here by Quinn. Asked him a personal question - looks like it's a major one for lots of people.

I noticed something strange SSL happenings inside High Sierra and I am very curious what is it and what are reasons for this..


First of all OpenSSL 0.9.7/8 is still there probably untouched. Which is fine.

Now we have some new libcrypto.40.dylib and .35.dylib files. Which are LibreSSL. Which is surprising. Do we have Xcode/SDK/usr/include/openssl or libressl - nope!

Next we have libboringssl.dylib which is even more surprising. And I can see parts of it in lib system. Also no dev packages.


So.. what’s going on with all those SSL libraries? Why there are so many of them now.


Assume I am a standalone developer that wishes to use OpenSSL on Mac - what will be the recommendations - to self-build it?


And what about Secure Transport - is it still _the primary_ way to use SSL on Mac?


P.S. Shame on removing telnet/ftp. What's next - ping and traceroute?


Best regards,

Platon

Up vote post of Stauff Down vote post of Stauff
2.9k views
Posted by
Stauff
Reply
Add a Comment

Replies

The rules here haven’t changed:

  • We encourage folks to use the highest-level TLS-capable API. In most cases that’s NSURLSession (for HTTPS) and either NSStream (for TLS over TCP) or NSURLSessionStreamTask (likewise).

  • If these high-level APIs aren’t appropriate, we recommend Secure Transport.

  • We discourage folks from using the OpenSSL dynamic libraries that are built in to macOS because binary compatibility concerns prevent us from updating them. You can watch WWDC 2011 Session 212 Next-Generation Cryptographic Services for more details on this.

  • If you feel the need to use OpenSSL (for example, if it has features that are missing from our APIs, or you’re using some other library that depends on OpenSSL), you should feel free to compile your own version of the code into your app. You can statically or dynamically link this; it’s really up to you.

  • Likewise for the various forks of OpenSSL.

Internally Apple is using BoringSSL for… well… stuff, but that has not changed the developer story.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment