AquaticPrime 64bit

Apple stopped shipping the headers to OpenSSL so they wouldn’t have that liability. You can do a lot of stuff with their CoreCrypto framework which is open-source and an interface to similar math functions as OpenSSL, but is not a drop-in replacement for OpenSSL.

Thanks Philippe, my question was more headed to Markus, to explain what his half statement was intended to say. :smiley:

Sorry Massimo, I did not understand well … I read quickly and faster and quickly I had downloaded your app to try it! ! :smiley:

Yup, and I figured my small explanation covers it :slight_smile:

Because OpenSSL doesn’t offer API compatibility between versions

This means that Apple can’t provide security updates without breaking existing apps. OpenSSL developers are not interested in guaranteeing a binary-stable API, only source code compatibility, which means you need to recompile or you only get the old version (possibly containing old, fixed security gaps). To be able to enforce binary stability and get Apple users security fixes even when developers don’t recompile their apps, they’ve created CommonCrypto instead, which is binary stable.

see for example http://rentzsch.tumblr.com/post/33696323211/wherein-i-write-apples-technote-about-openssl-on

That Apple deprecated OpenSSL in 2011 and removed most of it also let it escape the VERY serious Heartbleed bug in 2014, among others, see

https://appleinsider.com/articles/14/04/18/how-apple-dodged-the-heartbleed-bullet

P.S. You can of course statically link OpenSSL, but then you do not benefit from any security updates by Apple and need to update your app each time a new OpenSSL version comes out.

P.P.S. Also note: “The desire to build a streamlined, modern security architecture was also driven by a need for FIPS 140-2 validation, required to sell devices to a variety of U.S. government agencies.” so depending on your target market using OpenSSL is not a good idea. But read http://openssl.cs.utah.edu/docs/fips/fipsnotes.html on that if you want to use OpenSSL.

P.P.P.S. And from the OpenSSL blog at https://www.openssl.org/blog/blog/2017/08/17/fips/

[i]POSTED BY STEVE MARQUESS , AUG 17TH, 2017 4:00 PM
We’ve had a change in the stakeholder aspect of this new FIPS 140 validation effort. The original sponsor, SafeLogic, with whom we jump-started this effort a year ago and who has worked with us since then, is taking a well-deserved bow due to a change in circumstances. Supporting this effort has been quite a strain for a relatively small company, but SafeLogic has left us in a fairly good position. Without SafeLogic we wouldn’t have made it this far, and while I don’t anticipate any future SafeLogic involvement with this effort from this point on, I remain enormously grateful to SafeLogic and CEO Ray Potter for taking on such a bold and ambitious venture.

As announced here recently Oracle remains a sponsor but will hopefully not be the only sponsor for long. We will continue to partner with Acumen and we have been working extensively with Ashit Vora and Tony Busciglio there to sort out some new ideas.

No code has been written yet as we’re still developing a technical strategy and design. We’ve considered some new approaches to structuring the module, perhaps even as a related set of “bound” modules instead of one monolithic module as for past validations. Carefully sorting through the implications of design decisions for FIPS 140 requirements is a tedious but necessary process, and I think we’ll make faster progress overall by not rushing to the coding stage.[/i]

You also have to be really careful when installing Homebrew. See http://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/ .

I’m aware of the OpenSSL thing and why Apple decided to drop it and I’m also aware of the potential risks on using Homebrew.

However, the whole security discussion I believe is a separate topic from what was requested here.
About compiling AquaticPrime with OpenSSL I believe it doesn’t really expose to any security risk, provided this is a developer only application to generate key pairs for the registration.

As Philippe already pointed, a better solution would be to compile OpenSSL from source and statically link into the application, this would at least eliminate the Homebrew dependency.
Nonetheless for people already using Homebrew, my proposed workaround is perfectly legal and working.