OpenSSL no longer available on OSX 10.11

[larsbergstrom]

OpenSSL has been removed from OSX 10.11. We have a couple of options:

1. Ask people to do brew install openssl ; brew link --force openssl

2. Do the same thing we do on Android and download & build OpenSSL ourselves

Opinions?

CC @Manishearth @sfackler

[frewsxcv]

Relevant issues:

#7888

#7303

[sfackler]

I think the best way forward for not-Linux is to update openssl-sys to
build OpenSSL from source and link statically by default. However, I do not
want to be the person to manage that and have to e.g. Immediately bump
versions after Heartbleed round 2 goes public. If there are volunteers here
that want to take the hit and own that it would be great!

On Thu, Oct 8, 2015, 8:30 PM Corey Farwell notifications@github.com wrote:

Relevant PRs:

#7888 #7888

#7303 #7303

—
Reply to this email directly or view it on GitHub
#7930 (comment).

[jasonwilliams]

out of interest how is this handled on Windows?

[sfackler]

The user's responsible for getting a copy of OpenSSL.

[DemiMarie]

Just curious: why does Servo use OpenSSL instead of Mozilla's own NSS?

[jdm]

The Rust bindings already existed, so we didn't need to do anything special to integrate it.

[clemens-tolboom]

I do have openssl on Mac 10.11.2

% which openssl
/usr/bin/openssl

but the build fails

src/openssl_shim.c:1:10: fatal error: 'openssl/hmac.h' file not found
#include <openssl/hmac.h>

Checking brew I had openssl installed too.

% brew info openssl
openssl: stable 1.0.2e (bottled) [keg-only]
SSL/TLS cryptography library
https://openssl.org/
/usr/local/Cellar/openssl/1.0.2e (465 files, 17M)
  Poured from bottle
From: https://github.com/Homebrew/homebrew/blob/master/Library/Formula/openssl.rb
==> Dependencies
Build: makedepend ✘
==> Options
--universal
    Build a universal binary
--without-test
    Skip build-time tests (not recommended)
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl/certs

and run
  /usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local.

Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries

Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:

    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include

Doing brew link --force openssl does not help.

So what to do?

[sfackler]

cargo clean and it should build.

[clemens-tolboom]

cargo ... huh?

@sfackler thanks for the clean suggestion. After ./mach clean building with ./mach build -dev works :-)

[bdaehlie]

I use macports and I solved the openssl header problem on OS X 10.11 by adding this to my .profile:

export CPATH="$CPATH:/opt/local/include"

macports installs the necessary openssl header files at that location.

[mrjbq7]

I don't think brew link --force openssl works in latest Homebrew:

$ brew link --force openssl
Warning: Refusing to link: openssl
Linking keg-only openssl means you may end up linking against the insecure,
deprecated system OpenSSL while using the headers from Homebrew's openssl.
Instead, pass the full include/library paths to your compiler e.g.:
  -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib

Does anyone have updated instructions for macOS?

[sfackler]

@mrjbq7 https://github.com/servo/servo#on-os-x--1011-el-capitan-you-also-have-to-install-openssl

[Groxx]

@sfackler doesn't work for me fwiw:

$ ./mach build -r
....
   Compiling libz-sys v1.0.10
   Compiling heartbeats-simple-sys v0.3.2
   Compiling openssl-sys v0.7.17
Build failed, waiting for other jobs to finish...
error: failed to run custom build command for `openssl v0.7.14`
process didn't exit successfully: `/Users/groxx/servo/target/release/build/openssl-b1e8fa07f9be8a07/build-script-build` (exit code: 101)
--- stdout
TARGET = Some("x86_64-apple-darwin")
OPT_LEVEL = Some("3")
PROFILE = Some("release")
TARGET = Some("x86_64-apple-darwin")
debug=false opt-level=3
HOST = Some("x86_64-apple-darwin")
TARGET = Some("x86_64-apple-darwin")
TARGET = Some("x86_64-apple-darwin")
HOST = Some("x86_64-apple-darwin")
CC_x86_64-apple-darwin = None
CC_x86_64_apple_darwin = None
HOST_CC = None
CC = None
HOST = Some("x86_64-apple-darwin")
TARGET = Some("x86_64-apple-darwin")
HOST = Some("x86_64-apple-darwin")
CFLAGS_x86_64-apple-darwin = None
CFLAGS_x86_64_apple_darwin = None
HOST_CFLAGS = None
CFLAGS = None
running: "cc" "-O3" "-ffunction-sections" "-fdata-sections" "-m64" "-fPIC" "-I" "/usr/local/Cellar/openssl/1.0.2k/include" "-o" "/Users/groxx/servo/target/release/build/openssl-87c538093dbe2342/out/src/c_helpers.o" "-c" "src/c_helpers.c"
cargo:warning=src/c_helpers.c:1:10: fatal error: 'openssl/ssl.h' file not found
cargo:warning=#include <openssl/ssl.h>
cargo:warning=         ^
cargo:warning=1 error generated.
ExitStatus(ExitStatus(256))


command did not execute successfully, got: exit code: 1



--- stderr
thread 'main' panicked at 'explicit panic', /Users/groxx/servo/.cargo/registry/src/github.com-1ecc6299db9ec823/gcc-0.3.41/src/lib.rs:1018
note: Run with `RUST_BACKTRACE=1` for a backtrace.

[Warning] Could not generate notification! Optional Python module 'pyobjc' is not installed.
Build FAILED in 0:08:07

And:

$ echo $OPENSSL_LIB_DIR
/usr/local/Cellar/openssl/1.0.2k/lib
$ echo $OPENSSL_INCLUDE_DIR
/usr/local/Cellar/openssl/1.0.2k/include

I've cleaned and retried, same thing each time. (though strangely sometimes it errors on openssl/hmac.h instead of /ssl.h. dunno what that implies, maybe just different compilation speeds changing order?)

[sfackler]

Does /usr/local/Cellar/openssl/1.0.2k/include/openssl/ssh.h exist?

It is probably more reliable to set those to /usr/local/opt/openssl/include and /usr/local/opt/openssl/lib` to avoid breaking every time there's a new release.

[Groxx]

Does /usr/local/Cellar/openssl/1.0.2k/include/openssl/ssh.h exist?

That's a very good, obvious-in-retrospect question. But first a diversion:

It is probably more reliable to set those to /usr/local/opt/openssl/include and /usr/local/opt/openssl/lib` to avoid breaking every time there's a new release.

Yeah, this is the result of using brew --prefix openssl, as described in the readme: https://github.com/servo/servo#on-os-x--1011-el-capitan-you-also-have-to-install-openssl

Back to the first question: strangely, brew --prefix openssl says /usr/local/Cellar/openssl/1.0.2k, but in /usr/local/Cellar/openssl there's only 1.0.2j. So it's correct, it doesn't exist, but I have no idea why brew is confused about the prefix.... very likely this is just on my machine tho, I'll make sure I fix this before jumping back in here with complaints :)

[Groxx]

reinstalled, and the build succeeded. ¯\_(ツ)_/¯
oh well. thanks for helping!

[nox]

Pretty sure this can be fixed.