Resolving OpenSSL version mismatch in OS X 10.5.8

johnnyrepp · September 22, 2009, 7:39pm

In a Rails app I have built, the Amazon Web Services Product Advertising
API is used to retrieve book information. Recently, AWS changed their
API and now requires that requests be signed with a SHA256 key. I’m in
the process of updating my code to reflect this change, but quickly ran
into a problem with mismatched versions of OpenSSL on my system.
Specifically, the AWS API requires a SHA256 key, but I believe the
version of OpenSSL I am running (0.9.7l) only provides for SHA1.

So I downloaded the latest stable release of OpenSSL (0.9.8k), compiled
it, and installed it at /usr/local/ssl.

I set my PATH to include this directory:

Macintosh-266:~ root# env
MANPATH=/usr/share/man:/usr/local/share/man:/usr/X11/man
TERM=xterm-color
SHELL=/bin/sh
USER=root
PATH=/usr/local/ssl:/usr/local/bin:/usr/local/sbin:/usr/local/mysql/bin:/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin
PWD=/var/root
SHLVL=1
HOME=/var/root
_=/usr/bin/env

I’m running Mac OS X 10.5.8. Leopard ships with OpenSSL installed at
/System/Library/OpenSSL, and this appears to be what is being included
by ruby when I “require ‘openssl’”:

Macintosh-266:~ Home$ openssl version -a
OpenSSL 0.9.7l 28 Sep 2006
built on: Tue Feb 10 19:04:40 PST 2009
platform: darwin-i386-cc
options: bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long)
blowfish(ptr)
compiler: cc -arch ppc -arch ppc64 -arch i386 -arch x86_64 -g -Os -pipe
-arch ppc -arch ppc64 -arch i386 -arch x86_64 -pipe -DOPENSSL_NO_IDEA
-DFAR=
OPENSSLDIR: “/System/Library/OpenSSL”

My installation of ruby (1.8.5) is running at /usr/local/lib/ruby.

Macintosh-266:~ root# irb
irb(main):001:0> require ‘openssl’
=> true
irb(main):002:0> OpenSSL::OPENSSL_VERSION
=> “OpenSSL 0.9.7i 14 Oct 2005”

In /usr/local/lib/ruby/1.8/openssl/digest.rb:

module OpenSSL
module Digest

alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
if OPENSSL_VERSION_NUMBER > 0x00908000
  alg += %w(SHA224 SHA256 SHA384 SHA512)
end
...

end
end

So, as you can see, I need to be running OpenSSL > v.0.9.8 in order to
use SHA256 hashing.

I have been scouring the forums and google for about three hours and
cannot figure out how to make my ruby install use/load the newer version
of OpenSSL. If anyone can point me in the right direction, I would
greatly appreciate it.

Thank you very much for your help.
Cheers, JR

johnnyrepp · September 22, 2009, 7:49pm

After re-reading my post, I realized that when I’m requiring openssl in
Ruby, I’m actually getting an even older version (0.9.7i) than the one
installed at /System/Library/OpenSSL (which is 0.9.7l). I don’t even
know where that version is on my system, so the problem may be worse
than I thought. How can I determine where this version ‘lives’, and
then set Ruby to point to the newer version I’ve installed (0.9.8k)?

Johnny Rodgers wrote:

Macintosh-266:~ root# irb
irb(main):001:0> require ‘openssl’
=> true
irb(main):002:0> OpenSSL::OPENSSL_VERSION
=> “OpenSSL 0.9.7i 14 Oct 2005”

johnnyrepp · September 22, 2009, 10:38pm

On Sep 22, 2009, at 10:39 AM, Johnny Rodgers wrote:

USER=root

OPENSSLDIR: “/System/Library/OpenSSL”

So, as you can see, I need to be running OpenSSL > v.0.9.8 in order to
use SHA256 hashing.

I have been scouring the forums and google for about three hours and
cannot figure out how to make my ruby install use/load the newer
version
of OpenSSL. If anyone can point me in the right direction, I would
greatly appreciate it.

You’ll have to recompile ruby. You might consider just installing
ruby via macports. I think that would be the quickest path to success.

Aaron P.
http://tenderlovemaking.com

johnnyrepp · December 3, 2009, 1:27am

Just got a bump from another reader asking if I had resolved this issue,
so I decided to post my reply here for any future readers in the same
situation. Aaron’s suggestion above got me going in the right
direction: “You’ll have to recompile ruby.”

I followed the excellent instructions at

to do this, as I took this opportunity to upgrade my ruby dev setup for
Snow Leopard. To resolve my specific situation, I had to add the path
to my desired OpenSSL version into my PATH (Step 1 of the Hivelogic
instructions) before compiling the latest version of Ruby:

export
PATH=“/usr/local/bin:/usr/local/sbin:/usr/local/mysql/bin:/usr/local/ssl:$PATH”

Though in my case the path to my MySQL install was different because I
use MAMP. As an aside, for anyone upgrading to Snow Leopard and using
MAMP as their local web server, this solution resolved issues I ran into
with the MySQL gem:
http://boonedocks.net/mike/archives/175-MAMP-and-the-Ruby-MySQL-Gem.html

Thanks for the suggestion, Aaron. I now have a fresh compile of Ruby
running OpenSSL v.0.9.8k.

Aaron P. wrote:

On Sep 22, 2009, at 10:39 AM, Johnny Rodgers wrote:

USER=root

OPENSSLDIR: “/System/Library/OpenSSL”

So, as you can see, I need to be running OpenSSL > v.0.9.8 in order to
use SHA256 hashing.

I have been scouring the forums and google for about three hours and
cannot figure out how to make my ruby install use/load the newer
version
of OpenSSL. If anyone can point me in the right direction, I would
greatly appreciate it.

You’ll have to recompile ruby. You might consider just installing
ruby via macports. I think that would be the quickest path to success.

Aaron P.
http://tenderlovemaking.com