How to upgrade OpenSSL (macOS)

2 min readMay 10, 2016


Requesting and obtaining a certificate from a CA

Problem : OpenSSL Security Advisory [3rd May 2016] High severity
Solution : Update it :)

Mac OSX 10.11.4

Check version

$ openssl version -a

Backup old version

$ sudo mv /usr/bin/openssl /usr/bin/openssl-old

For 10.12.2 will get…(and maybe this should help)
mv: rename /usr/bin/openssl to /usr/bin/openssl-old: Operation not permitted

Or remove old version (skip this if you already backup)

$ sudo rm /usr/bin/openssl

Install Homebrew if you didn’t have

$ /usr/bin/ruby -e "$(curl -fsSL"

Or update if you already have

$ brew update && brew upgrade

Install OpenSSL with Homebrew

$ brew install openssl

Symbolic link

$ brew link --force openssl

[UPDATE] 2016/12/11

OpenSSL 1.0.2j, Homebrew 1.1.2, Mac 10.11.6

You’ll see…

Warning: Refusing to link: openssl
Linking keg-only openssl means you may end up linking against the insecure,
deprecated system OpenSSL while using the headers from Homebrew’s openssl.
Instead, pass the full include/library paths to your compiler e.g.:
-I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib

And yes we’re doom! But no worry we can manually link it with steps below.

1. Ensure it exist

$ ls -l /usr/local/opt/openssl

You should see (after $ brew install openssl)

lrwxr-xr-x 1 katopz admin 24 Sep 29 00:21 /usr/local/opt/openssl -> ../Cellar/openssl/1.0.2j

2. Link it

$ sudo ln -s /usr/local/Cellar/openssl/1.0.2j/bin/openssl /usr/bin/openssl

For 10.12.2 you will get…(and maybe this should help)
ln: /usr/bin/openssl: Operation not permitted

3. And maybe you’ll need this too

$ mkdir -p /usr/local/lib
$ ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/
$ ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/

Close Terminal and reopen then check version

$ openssl version -a

You should see…

OpenSSL 1.0.2j  26 Sep 2016built on: reproducible build, date unspecifiedplatform: darwin64-x86_64-ccoptions:  bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) idea(int) blowfish(idx)compiler: clang -I. -I.. -I../include  -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASMOPENSSLDIR: "/usr/local/etc/openssl"

Nice! We’re safe now until another incident appear tho.

And next time you can just…

$ brew update && brew upgrade

Happy OpenSSLing!