OpenSSL on Mac OS X for SHA-256 signature algorithm

Question

I want to create a self-signed certificate (root ca) with OpenSSL. The signature algorithm needs to be a ECDSA signature with SHA-256 hash. On my Mac OS X (Yosemite), I have OpenSSL version 0.9.8zc (from Oct 15, 2014) installed. When I call openssl ciphers -v on the command line, it seems that my current OpenSSL version does not support SHA2 (with SHA-256 etc.).

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

The latest version of OpenSSL seems to be 1.0.2, but the source available at https://www.openssl.org/source/ does not seem to be compilable for OS X, since the file "Install.MacOS" says right at the beginning:

"Thanks to Roy Wood initial support for Mac OS (pre X) is now provided."

My try to install it nevertheless resulted in some errors on the command line.

Can anyone tell me if it is somehow possible to use the SHA-256 signature algorithm with an OpenSSL installation on Yosemite? It seems odd to me if this would not be possible, but I am no expert in this field. Hoping for a good hint!

Answer 1

On OSX El Capitan

• Install homebrew (see http://brew.sh/index.html)
• Install newest openssl version with command brew install openssl
• Run /usr/local/opt/openssl/bin/openssl sha256

Brew now refuses to link openssh to /usr/local/bin even if you use the --force option so you have to run openssh from the brew install location or link to it yourself.

Answer 2

Can anyone tell me if it is somehow possible to use the SHA-256 signature algorithm with an OpenSSL installation on Yosemite?

Yes, but you need to install a more recent version OpenSSL. OS X's 0.9.8 lacks elliptic curve support (among other things).

---

The latest version of OpenSSL seems to be 1.0.2, but the source available at https://www.openssl.org/source/ does not seem to be compilable for OS X, since the file "Install.MacOS" says right at the beginning:

"Thanks to Roy Wood initial support for Mac OS (pre X) is now provided."

Ignore that because its wrong.

See the OpenSSL wiki on Compilation and Installation. The 30 second fly-by on 64-bit OS X:

export KERNEL_BITS=64
cd openssl
./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 --openssldir=/usr/local
make all
sudo make install

Ignore the prompt about make depend since you don't need it.

---

Related: if you want to build a fat OpenSSL, then see this question: Build Multiarch OpenSSL on OS X. The short answer is, don't try because it won't work due to OpenSSL makefiles.

If you want a fat library, the perform the following steps:

export KERNL_BITS=64
./configure ...
...

mv libcrypto.a libcrypto-x86_64.a 
mv libssl.a libssl-x86_64.a

make clean && make dclean
export KERNL_BITS=32
./configure ...
...

mv libcrypto.a libcrypto-i386.a 
mv libssl.a libssl-i386.a

lipo -create libcrypto-x86_64.a libcrypto-i386.a -output libcrypto.a
lipo -create libssl-x86_64.a libssl-i386.a -output libssl.a

sudo make install

Lather, rinse and repeat for the dylibs before running make install. Note: i386 should not use enable-ec_nistp_64_gcc_128 (IIRC).

---

When you need to use OpenSSL in your programs, you will use /usr/local/ssl/include as a header path, and /usr/local/ssl/lib as a library path.

As a matter of fact, I don't use library paths because OS X's linker ignores your request for static linking. I use static linking to avoid LD_PRELOAD and DYLD_LIBRARY_PATH problems and tricks (like compiling against 1.0.2 in /usr/local/ssl, but loading 0.9.8 at runtime in /usr/lib). So my compile like looks something like:

gcc foo.c bar.c /usr/local/ssl/lib/libcrypto.a -o foobar.exe

An archive is a collection of object files (*.o), so you specify them just like any other object file.

Answer 3

Finally found out how to do it:

1. Install homebrew (see http://brew.sh/index.html) with command ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
2. Install newest openssl version with command brew install openssl
3. Run brew link --force openssl in terminal, open a new one and run which openssl in it -> will show you /usr/local/bin/openssl
4. Tada! Now if you run openssl version it will show OpenSSL 1.0.2 22 Jan 2015 (if you didn't run brew link --force openssl before it would have shown OpenSSL 0.9.8zc 15 Oct 2014)

:) (Found hints on Update OpenSSL on OS X with Homebrew, didn't know about homebrew before or that I needed it to get the up-to-date openssl running.