Apple stopped shipping the headers to OpenSSL so they wouldn’t have that liability. You can do a lot of stuff with their CoreCrypto framework which is open-source and an interface to similar math functions as OpenSSL, but is not a drop-in replacement for OpenSSL.
Thanks Philippe, my question was more headed to Markus, to explain what his half statement was intended to say. 
Sorry Massimo, I did not understand well … I read quickly and faster and quickly I had downloaded your app to try it! !
Yup, and I figured my small explanation covers it 
Because OpenSSL doesnt offer API compatibility between versions
This means that Apple can’t provide security updates without breaking existing apps. OpenSSL developers are not interested in guaranteeing a binary-stable API, only source code compatibility, which means you need to recompile or you only get the old version (possibly containing old, fixed security gaps). To be able to enforce binary stability and get Apple users security fixes even when developers don’t recompile their apps, they’ve created CommonCrypto instead, which is binary stable.
see for example rentzsch.tumblr.com: Wherein I Write Apple’s Technote About OpenSSL on OS X For Them
That Apple deprecated OpenSSL in 2011 and removed most of it also let it escape the VERY serious Heartbleed bug in 2014, among others, see
P.S. You can of course statically link OpenSSL, but then you do not benefit from any security updates by Apple and need to update your app each time a new OpenSSL version comes out.
P.P.S. Also note: “The desire to build a streamlined, modern security architecture was also driven by a need for FIPS 140-2 validation, required to sell devices to a variety of U.S. government agencies.” so depending on your target market using OpenSSL is not a good idea. But read http://openssl.cs.utah.edu/docs/fips/fipsnotes.html on that if you want to use OpenSSL.
P.P.P.S. And from the OpenSSL blog at FIPS 140-2: Thanks and Farewell to SafeLogic - OpenSSL Blog
[i]POSTED BY STEVE MARQUESS , AUG 17TH, 2017 4:00 PM
Weve had a change in the stakeholder aspect of this new FIPS 140 validation effort. The original sponsor, SafeLogic, with whom we jump-started this effort a year ago and who has worked with us since then, is taking a well-deserved bow due to a change in circumstances. Supporting this effort has been quite a strain for a relatively small company, but SafeLogic has left us in a fairly good position. Without SafeLogic we wouldnt have made it this far, and while I dont anticipate any future SafeLogic involvement with this effort from this point on, I remain enormously grateful to SafeLogic and CEO Ray Potter for taking on such a bold and ambitious venture.
As announced here recently Oracle remains a sponsor but will hopefully not be the only sponsor for long. We will continue to partner with Acumen and we have been working extensively with ■■■■■ Vora and Tony Busciglio there to sort out some new ideas.
No code has been written yet as were still developing a technical strategy and design. Weve considered some new approaches to structuring the module, perhaps even as a related set of bound modules instead of one monolithic module as for past validations. Carefully sorting through the implications of design decisions for FIPS 140 requirements is a tedious but necessary process, and I think well make faster progress overall by not rushing to the coding stage.[/i]
You also have to be really careful when installing Homebrew. See http://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/ .
I’m aware of the OpenSSL thing and why Apple decided to drop it and I’m also aware of the potential risks on using Homebrew.
However, the whole security discussion I believe is a separate topic from what was requested here.
About compiling AquaticPrime with OpenSSL I believe it doesn’t really expose to any security risk, provided this is a developer only application to generate key pairs for the registration.
As Philippe already pointed, a better solution would be to compile OpenSSL from source and statically link into the application, this would at least eliminate the Homebrew dependency.
Nonetheless for people already using Homebrew, my proposed workaround is perfectly legal and working.