Apple has marked most (but not all) of the OpenSSL API as "deprecated" in MacOS 10.7. Has Apple made any statements explaining why they are moving from OpenSSL to Common Crypto?
Asked
Active
Viewed 1.8k times
30
-
i don't know but from a search i found http://ludovicrousseau.blogspot.com/2011/08/mac-os-x-lion-and-openssl.html which says that they deprecated it in preference to their own Common Crypto – Dan D. Sep 13 '11 at 19:00
-
Apple might be going to maintain a FIPS certification for common crypto, or something, so they'd prefer people would use that. Just guesswork. – James Sep 13 '11 at 19:49
-
[Heartbleed](https://en.m.wikipedia.org/wiki/Heartbleed) was discovered April 1 2014 and the decision to move away from OpenSSL appears to have been before then, but there may have been some dissatisfaction with elements of OpenSSL that led this. – bobobobo Apr 08 '18 at 12:38
-
Heartbleed didn't have anything to do with this. It was based on code quality, lack of support for multi-threading, and Appleisms. – vy32 Apr 09 '18 at 01:34
3 Answers
24
Because OpenSSL doesn’t offer API compatibility between versions
This means that Apple can't provide security updates without breaking existing apps.
http://rentzsch.tumblr.com/post/33696323211/wherein-i-write-apples-technote-about-openssl-on-os-x
Nick Dowell
- 2,030
- 17
- 17
23
Apple is migrating from OpenSSL to Common Crypto (which Apple develops).
Info on WHY Apple is doing this: http://adcdownload.apple.com/wwdc_2011/adc_on_itunes__wwdc11_sessions__pdf/212_nextgeneration_cryptographic_services.pdf
If the above link fails (it probably will), here are navigation instructions:
- Logon to http://developer.apple.com
- Scroll to bottom, click on 'Development Videos'
- On the next page, click 'Learn more' under WWDC 2011
- Scroll down about half-way (or search) until you see 'Next Generation Cryptographic Services', and click it
- You have now reached the buried treasure, download the 'Presentation Slides'
joet3ch
- 2,236
- 1
- 21
- 19
-
14I know *what* Apple is doing. My question is *WHY* is Apple doing this? To be anti-competitive? To make it harder to develop cross-platform software? Because their stuff is better? – vy32 Sep 13 '11 at 19:08
-
1I added a link to a Apple Developer presentation. I'm not putting the content here since the slides are marked confidential, and I don't want to lose my Apple Developer Membership :) – joet3ch Sep 13 '11 at 20:25
-
I have an AD membership but I'm unable to get the link to work. Rather than posting the download link, can you post navigation instructions? Thanks. – vy32 Sep 14 '11 at 07:32
-
-
Thanks. It's quite a hoot to see Jon's name on the slides. I didn't realize he was at Apple now. Interesting that they are forcing us to abandon OpenSSL for these new security services. I wonder if, next, they will try to make us abandon Berkeley Sockets. – vy32 Sep 14 '11 at 15:09
-
1As an aside, I agree with static linking and the lack of a stable ABI. I was bitten by that yesterday. – vy32 Sep 14 '11 at 15:12
-
5Is there somewhere to get a summary of this without signing up for an Apple account? – jcollie Oct 14 '11 at 13:31
-
9Short summary: OpenSSL developers are not interested in guaranteeing a binary-stable API, only source code compatibility, which means you need to recompile or you only get the old version (possibly containing old, fixed security gaps). To be able to enforce binary stability and get our users security fixes even when we don't recompile our apps, they're creating CommonCrypto instead, which *is* binary stable. – uliwitness Aug 21 '14 at 19:46
-
6
The dylib openssl is deprecated because of binary compatibility issues across versions (eg: causes problems like Why does the OpenSSL test suite fail on MacOS X? ).
See joet3ch's answer for what Apple suggests to do about it.
However, you're free/encouraged to get openssl from openssl.org and link statically.
