ID: 7148 Fixed in:
Issue Date: 2017-05-19 10:35 AEST Owner:  CVS Support
Last Modified:  2024-06-22 12:41 AESTReporter:  Arthur Barrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:enhancement

Affected:  2.8.01
Description:  enh: mac: use native SSL for sserver and sync protocols

Actions:    
2017-05-19 10:35 AEST by Arthur Barrett - Mac (and iOS) have a native SSL called 'Secure Transport' - maybe we should use this on the mac (or at least 
have the option).  

We did something similar for windows - having an option to use the native (SChannel) see bug 5747
 
2020-05-01 16:41 AEST by Arthur Barrett - The secure transport API is deprecated in MacOS 10.14 and replaced with:
https://developer.apple.com/documentation/network

I'm working on bug7396, to compile on Xcode 10.1 on Mac OS 10.13.6 and it seems that openssl headers are no longer included in the Mac OS X 10.14.1 sdk, so either the 'secure transport' or 'network' API needs to be used, or we need to install the openssl headers and link to the included dylib:

ls -lah /usr/lib/ | grep ssl     
-rwxr-xr-x    1 root  wheel   1.2M Dec  4 23:11 libboringssl.dylib
-rwxr-xr-x    1 root  wheel   384K Jul 21  2018 libssl.0.9.7.dylib
-rwxr-xr-x    1 root  wheel   615K Jul 21  2018 libssl.0.9.8.dylib
-rw-r--r--    1 root  wheel   925K Dec  4 23:11 libssl.35.dylib
-rw-r--r--    1 root  wheel   870K Dec  4 23:11 libssl.43.dylib
lrwxr-xr-x    1 root  wheel    15B Dec 14 12:24 libssl.dylib -> libssl.35.dylib

Presumably the 'missing headers' are here:
https://opensource.apple.com/source/OpenSSL098/

Aparently the more recent libraries are LibreSSL:
http://mac-os-forge.2317878.n4.nabble.com/LibreSSL-and-OpenSSL-and-SSL-td353303.html


Demonstrated by:
ivybridge-5:~ abarrett$ /usr/bin/openssl 
OpenSSL> version 
LibreSSL 2.2.7
OpenSSL> exit
ivybridge-5:~ abarrett$ otool -L /usr/bin/openssl
/usr/bin/openssl:
	/usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0)
	/usr/lib/libcrypto.35.dylib (compatibility version 36.0.0, current version 36.0.0)
	/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/TrustEvaluationAgent (compatibility version 1.0.0, current version 31.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)

Oddly though - the opensource.apple.com site doesn't have libressl - maybe they are using the stock standard version?

Apparently the SDK/API is the same as OpenSSL:
https://wiki.gentoo.org/wiki/Project:LibreSSL

However in practice it looks more complex:
https://opensource.apple.com/source/curl/curl-95/curl/lib/vtls/openssl.c.auto.html

eg:

#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
    !defined(LIBRESSL_VERSION_NUMBER)
    req_method = TLS_client_method();
#else
    req_method = SSLv23_client_method();
#endif

Currently our xcode project links sserver and sync protocols to /usr/lib/libssl.dylib -- which for MacOS High Sierra will be LibreSSL.

see bug7396 for details of how I got it working with libressl
 
2024-06-22 11:59 AEST by Arthur Barrett - Sonoma 14.5:

mbp2019admin@coffeelake2024 .ssh % otool -L /usr/bin/openssl
/usr/bin/openssl:
	/usr/lib/libssl.48.dylib (compatibility version 49.0.0, current version 49.2.0)
	/usr/lib/libcrypto.46.dylib (compatibility version 47.0.0, current version 47.2.0)
	/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/TrustEvaluationAgent 
(compatibility version 1.0.0, current version 38.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1345.120.2)
mbp2019admin@coffeelake2024 .ssh % /usr/bin/openssl version
LibreSSL 3.3.6

2024-06-22 12:41 AEST by Arthur Barrett - I was looking at this last night for Sonoma macOS 14 and it looks like the consensus view is to use libressl.  
The only alternative would be to rewrite the SSL components in SWIFT. There are no C/C++ API's to use now, 
and the old API is deprecated.

For instance 'curl' had a darwinssl option, but now they've removed it and use libressl instead.

opensource.apple.com is the same - they've removed darwinssl and build the curl shipped with macOS 
Sonoma 14.5 as compiled with libressl and they supply libressl dylib.

But this option is not available for iOS

For iOS we'd need to rewrite sserver_protocol in SWIFT.

I'm thinking that each protocol should really be its own framework on macOS and iOS.

question:
"I was overwhelmed by a fact that Apple didn't provide SSLCreateContext for its security APIs.

I checked API at Security/SecureTransport.h and it exists. However, it is deprecated.

I need a SSLCreateContext function available as C API. Is there any replacement for this function from 
Network framework?"

final reply:
"If the final goal is to generate network traffic on the wire then Network framework is your best option."

see:
https://forums.developer.apple.com/forums/thread/682940?answerId=679277022#679277022

and:
How to use Network framework in Objective-C (example in Swift)
https://stackoverflow.com/a/59523101

and:
What is the darwinssl library location on Mac OS X?
https://stackoverflow.com/questions/37414790/what-is-the-darwinssl-library-location-on-mac-os-x


and:
SSL Error on macOS
https://github.com/curl/curl/issues/1184


     Query page