I think this should be retitled to "The sorry state of OpenSSL usability [on macOS]", because the author is using the built-in OpenSSL on macOS (which, as is eventually discovered, isn't actually OpenSSL).
If you want to use OpenSSL on macOS, I suggest using the OpenSSL provided either in Brew or in MacPorts. That will give you a fully-functional setup (including help and man pages).
> Users matter: try doing some usability testing. Try adding some help text and man pages, instead of hijacking the wiki webpage of a different SSL project. And stop forking OpenSSL; you’re just making things worse.
1. Apple is not usability testing this 3 year old version of a fork of openssl, because they're not supporting it at all.
2. help text not available because its an apple supplied fork. openssl does tell you to use 'help'
3. man pages do exist. Just not installed by apple like author expected
4. and stop forking OpenSSL; BSD project forked it and Apple wants BSD over anything else because they can put the software in their closed platforms. Even if libressl were on the up and up, Apple's still got a version from 2016 installed.
Those are all Apple problems, not openssl problems.
1. The OpenSSL API hasn't changed, and if Apple changed it on their own that would break more things
2. The issue the author complained about was `openssl --help` not working, and it doesn't work on any platform (because he got the command wrong). `openssl help` does work on OSX (I literally just tested it).
3. Yeah, that's the one issue we agree is an Apple issue.
4. Apple didn't make LibreSSL. Other systems besides Apple use LibreSSL, and the authors complaints about their lack of documentation are relevant regardless of what Apple does.
> 4. Apple didn't make LibreSSL. Other systems besides Apple use LibreSSL, and the authors complaints about their lack of documentation are relevant regardless of what Apple does.
No, this is specifically Apple's fuck up. The documentation is right there on OpenBSD! It pretty much always was. I have a live system running OpenBSD older than this rant, and the man pages are there. The default modulus is 2048 too.
> 4. Apple didn't make LibreSSL. Other systems besides Apple use LibreSSL, and the authors complaints about their lack of documentation are relevant regardless of what Apple does.
Other systems probably upgrade their copy of BSD userland more than once a decade... especially if they are the richest company on Earth.
There are probably 100 other user rants to accompany this for all the other massively out of date bits of BSD on MacOS.
> `openssl help` does work on OSX (I literally just tested it).
For anyone else interested, I just tested it as well. It appears that it prints a listing of all the commands offered by openssl (split into sections "Standard commands", "Message Digest commands", and "Cipher commands"), with no other descriptions or usage instructions. I tried `openssl help bf` to get more information, and it prints the options available to that command and their descriptions. I did not see any way to actually figure out what a command does, but it is possible I missed it.
Happily, it will likely be removed in the next macOS, at which point anything still dependent on it will break utterly until either updated to use SecureTransport or to bundle OpenSSL.
I predict a popular tool favored by the HN community will break, leading to a highly-upvoted front page post that instructs everyone on how to reinstall the shim wrapper using an unsigned tarball from an unsafe non-Apple source and zero patches to that tool from us to make it use the modern macOS-provided library instead.
5. Follow the code commits of the LibreSSL fork and if you continue to use OpenSSL and not LibreSSL at least you will know the various issues you are going to have.
OPENSSL(1) General Commands Manual OPENSSL(1)
NAME
openssl ? OpenSSL command line tool
SYNOPSIS
openssl command [command_opts] [command_args]
openssl list-standard-commands | list-message-digest-commands |
list-cipher-commands | list-cipher-algorithms |
list-message-digest-algorithms | list-public-key-algorithms
openssl no-command
DESCRIPTION
OpenSSL is a cryptography toolkit implementing the Transport Layer
Security (TLS v1) network protocol, as well as related cryptography
standards.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.04
Release: 19.04
Codename: disco
$ openssl --help
Invalid command '--help'; type "help" for a list.
$ openssl help 2>&1 | head -n 3
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
$ openssl help asn1parse
Usage: asn1parse [options]
Valid options are:
-help Display this summary
-inform PEM|DER input format - one of DER PEM
-in infile input file
-out outfile output file (output format is always DER)
-i indents the output
$ openssl genrsa -out foo.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................+++++
.......................+++++
e is 65537 (0x010001)
Debian (OpenSSL), man page is present, and 2048 mod is default:
openssl genrsa -out private_key.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
These are all either MacOS or LibreSSL problems.
This may not even be a LibreSSL problem since the version the author is using is 3 years old [1] MacOS userland is always so ancient, the other bits of BSD userland are even worse as far as I remember.
I meant OR (|) as a do not _know_ having only tried OpenSSL, updated to clarify this - I thought using bitwise operators would be safe here, I guess it doesn't work with english.
RE man pages, I am speaking generally (as i said), i know nothing of OpenBSDs man pages, and it doesn't matter, my point was not that LibreSSL or OpenSSL man pages suck for examples, but that it's a bad premise for an argument against Open/LibreSSL.
Current MacOS (Mojave, 10.14.5) has a man page for openssl, command line help for openssl, and generates a 2048 bit modulus, and is LibreSSL version 2.6.5 (admittedly nearly a year old.)
$ openssl genrsa -out private_key.pem
Generating RSA private key, 2048 bit long modulus
.................+++
........................................+++
e is 65537 (0x10001)
If you want to use OpenSSL on macOS, I suggest using the OpenSSL provided either in Brew or in MacPorts. That will give you a fully-functional setup (including help and man pages).