

Wherein I Write Apple’s Technote About OpenSSL on OS X - anon1385
http://rentzsch.tumblr.com/post/33696323211/wherein-i-write-apples-technote-about-openssl-on-os-x

======
codeka
It seems quite understandable that there'd be breaking changes between version
0.9 and 1.0, I don't see how you can extrapolate that to "OpenSSL doesn’t
offer API compatibility between versions."

I also don't see how the advice to include your own version is any better than
shipping two versions.

~~~
klodolph
Have you ever used OpenSSL? It is a total mess. For a popular project, its
code is unreadable. I don't know how they maintain it.

~~~
taybin
I absolutely agree. I had to dig pretty deep into it to see what broke between
versions. It is crazy town in there.

------
doe88
You won't find any Apple technote on the subject because the use of OpenSSL is
deprecated on iOS and OS X from their point of view.

~~~
delinka
Deprecated in favor of what? This post talks about a compatibility layer
between app source code and OpenSSL.

~~~
jws
Common Crypto contains functions for

• Hashing: MD5, SHA1, SHA2

• HMAC (hash based message authentication) [http://en.wikipedia.org/wiki/Hash-
based_message_authenticati...](http://en.wikipedia.org/wiki/Hash-
based_message_authentication_code)

• PBKDF2 (password to key) <http://en.wikipedia.org/wiki/PBKDF2>

• Symmetric Encryption: AES, DES, 3DES, CAST, RC4, RC2, and Blowfish. (The
algorithm selection is poorly documented in the man pages, I'm reading source
here.)

It has an API that would not surprise anyone who has used a similar library.

It is open source, APSL 2.0. You can read it here:
<http://www.opensource.apple.com/source/CommonCrypto/>

------
shanemhansen
This is so undeservedly harsh.

Seriously, considering that 0.9.8 was released in 2005. During the last 7
years are you telling me openssl is the only "unixy" library to have a new
backwards incompatible version come out? And by the way, they are still
providing updates to 0.9.8. It's still the default version in debian stable.

    
    
      http://www.openssl.org/news/changelog.html
      http://www.openssl.org/
    

So to recap: 0.9.8 is by no means unsupported. The saints over at the openssl
group are continuing to provide updates to this 7 year old library so that
people like Apple can continue providing seamless security updates to users
who have linked against 0.9.8.

------
chris_wot
I'm looking at upstream tracker [1], and I can see a number of changes in the
later releases, but is the API really that unstable?

What parts of the API in particular are that bad?

1\. <http://upstream-tracker.org/versions/openssl.html>

~~~
delinka
I see 27 symbols removed in version 1.0.0. That is 27 symbols that cannot be
found by the dynamic linker if an older app binary requires them.

~~~
dthunt
That's a major version change. You expect API compatibility typically with
patch-level and minor releases.

~~~
mikeash
Apple needs API compatibility across major versions too.

~~~
angrow
Apple is welcome to do what they like (and it seems like they're offering
alternatives that are at least equivalent, and possibly superior) but a "major
release" has incompatible changes to APIs by definition.

~~~
mikeash
Mac OS X has gone through a large number of major releases without making
binary incompatible changes to APIs. That may be one definition of "major
release", but it's certainly not universal. In any case, I don't understand
this discussion centered around whether OpenSSL is justified in doing this or
that. It doesn't matter! Apple needs binary compatibility, OpenSSL does not
provide it, Apple doesn't expose OpenSSl. That's it. The reasons why OpenSSL
doesn't provide it, whether they're right or wrong or just sideways, simply do
not matter.

~~~
Evbn
OS X hasn't changed its major version number in over 10 years. :-)

iOS major version bumps frequently though...

~~~
delinka
"major release" != "major version number"

Besides, Apple's major OS releases are executed like a major version number
bump regardless of how others outside the company do things. These bumps
include deprecation markers and warnings for APIs with planned retirement.
There's no technical reason to remove deprecated APIs (keeping them around
forever) to support older apps.

------
akandiah
I've found that the EVP library (provided with OpenSSL) to be good for
implementing basic cryptographic functionalities. It provides a decent layer
of abstraction that's portable across different versions of OpenSSL.

