Metadata Distribution Subcommittee of TAC

[John Bradley <>]

Apple moved to there own TLS lib in Mavericks to to enable TLS 1.2 and 
disable all certs with RC5 hashes.

The version of openSSL is only for backwards computability with some apps.  
The OS no longer uses it so it will likely never be updated.
Ports is your friend for that.

From the developer Docs

OpenSSL

OS X includes a low-level command-line interface to the OpenSSL open-source 
cryptography toolkit; this interface is not available on iOS.

Further, although OpenSSL is commonly used in the open source community, it 
does not provide a stable API from version to version. For this reason, the 
programmatic interface to OpenSSL is deprecated in OS X and is not provided 
in iOS. Use of the Apple-provided OpenSSL libraries by apps is strongly 
discouraged.

To ensure compatibility, if your app depends on OpenSSL, you should compile 
it yourself and statically link a known version of OpenSSL into your app. 
Such use works on both iOS and OS X.

In general, however, you should use the CFNetwork API for secure networking 
and the Certificate, Key, and Trust Services API for cryptographic services. 
Alternatively, in OS X, you can use the Secure Transport API.

John B.

On Oct 28, 2013, at 12:48 PM, Cantor, Scott 
<>
 wrote:

> Haven't reviewed the material, but some quick answers...
> 
> On 10/28/13, 11:23 AM, "Tom Scavo" 
> <>
>  wrote:
> 
>> I've made some assumptions, however, which may or may not be true. Are
>> the following assumptions correct?
>> 
>> - The Shibboleth IdP does not have any issues.
> 
> I believe that's true.
> 
>> - A Windows-based Shibboleth SP deployment does not have any issues
>> (since OpenSSL is included in the Shibboleth distribution).
> 
> An up to date one doesn't. I don't know how far back you'd have to get to
> have a problem, but probably pretty far.
> 
>> - All other (non-Windows) Shibboleth SP deployments are completely
>> dependent on the version of OpenSSL bundled with the underlying
>> operation system.
> 
> That's only true on Linux actually. Solaris varies widely and there are
> many different versions one might have, not all of which come from the OS.
> 
> On the Mac, the supported approach is macports, which should be a current
> version, but again if it were an old install, it would depend. I don't
> know what version Apple has provided going backwards, it's 0.9.8 on
> Mavericks (yes, really). If you did a source build using their libraries
> and not macports, then, it would depend on the OS.
> 
>> - If your metadata process depends on an incompatible version of
>> OpenSSL, the recommended action is to upgrade the underlying operating
>> system.
> 
> See above, it's not that simple except on Linux.
> 
> -- Scott
> 
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature