Apple - How to upgrade OpenSSL in OS X?

For what it's worth, I just used homebrew (http://brew.sh/):

brew update  
brew install openssl  
brew link --force openssl 
openssl version -a  

If one of the bad versions come up (1.0.1a-f), you can figure out which version of openssl you're using, this way:

which openssl

Often this is from /usr/bin. To make sure you get the updated version, drop a symlink into /usr/local/bin to point to the updated openssl, like this:

ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/local/bin/openssl

---

As an alternative to that final step, some people replace the openssl in /usr/bin with a symlink to /usr/local/Cellar/openssl/1.0.1g/bin/openssl (or whatever your version is):

mv /usr/bin/openssl /usr/bin/openssl_OLD  
ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/bin/openssl

But this is known to cause problems with some more recent versions of OSX. Better to just insert a new symlink into /usr/local/bin, which should take precedence on your path over /usr/bin.

Or for those who are using mac ports, and are not worried about keeping the version

sudo port upgrade openssl

simples :-)

For resolving OCSP Status Request extension unbounded memory growth (CVE-2016-6304) on macOS Sierra using brew with System Integrity Protection enabled:

1. Temporarily adjust permissions on /usr/local so brew can update:

   sudo chgrp -R admin /usr/local
   sudo chmod -R g+w /usr/local
   

2. Install the updated version of OpenSSL (you probably want 1.0.2i):

   brew install openssl
   

3. You may want/need to delete an existing symlink to openssl from /usr/local/bin:

   rm /usr/local/bin/openssl
   

4. Re-link the proper brew version:

   sudo ln -s /usr/local/Cellar/openssl/1.0.2i/bin/openssl /usr/local/bin/openssl
   

5. Restore original permissions on /usr/local/bin:

   sudo chown root:wheel /usr/local