Installing Net::SSLeay with openssl from homebrew (OS X)

installing-net-ssleay-with-homebrew-openssl.md

Installing Net::SSLeay with openssl from homebrew (macOS)

You don't need to do anything fancy other than running cpanm - with the most recent Net::SSLeay things should Just Work.

Updated 2020-Mar-10

I realized that since Net::SSLeay is looking in known places (including homebrew's install locations) for openssl, it means that my instructions that set up environment variables are no longer necessary! The following will install the module:

# openssl 1.0.2d
cpanm --interactive --verbose Net::SSLeay

# openssl 1.1.1d - but tests fail; --force is needed
OPENSSL_PREFIX=/usr/local/opt/openssl@1.1 cpanm --interactive --verbose Net::SSLeay

Updated 2020-Mar-09

The original work I did in this gist was in 2015 - a different time! I was using Mac OS X 10.11, perl 5.22, and Net::SSLeay 1.72. I can't recall what OpenSSL version though. See below for the original writeup.

Now I'll update the instructions, using:

• macOS 10.15
• Net::SSLeay 1.88
• perl 5.30.1
• openssl 1.0.2d

I've noticed that this version of Net::SSLeay is now looking in some known places for OpenSSL, including where brew install openssl installs it. After running through the steps I did before (i.e., run perl Makefile.PL, and inspect the generated Makefile for the relevant options), here's the new cpanm command I generated. I didn't need to add any /usr/local/opt/openssl dirs to -I/-L options by hand - thank you to the Net::SSLeay devs! These are the commands I ran to install Net::SSLeay:

CONFIG_ARGS=$( tr '\n' ' ' <<EOF
INC="-I/usr/local/opt/openssl/include"
LDDLFLAGS="-mmacosx-version-min=10.15 -bundle -undefined dynamic_lookup -L/usr/local/opt/openssl -L/usr/local/opt/openssl/lib -L/usr/local/lib -fstack-protector-strong"
LDFLAGS="-mmacosx-version-min=10.15 -fstack-protector-strong -L/usr/local/opt/openssl -L/usr/local/opt/openssl/lib -L/usr/local/lib"
EOF
)
cpanm Net::SSLeay --configure-args "$CONFIG_ARGS" --interactive --verbose

If you get a build error like 'openssl/err.h' file not found you should check that you've installed openssl with brew install openssl first. brew list openssl should list all of the files of that formula if it is installed.

openssl 1.1

I also noticed that I had both openssl and openssl@1.1 brew formulas installed. Why not try the newer openssl? Repeating the steps to pull out the Makefile options after generating the file with OPENSSL_PREFIX=/usr/local/opt/openssl@1.1 perl Makefile.PL, I got:

CONFIG_ARGS=$( tr '\n' ' ' <<EOF
INC="-I/usr/local/opt/openssl@1.1/include"
LDDLFLAGS="-mmacosx-version-min=10.15 -bundle -undefined dynamic_lookup -L/usr/local/opt/openssl@1.1 -L/usr/local/opt/openssl@1.1/lib -L/usr/local/lib -fstack-protector-strong"
LDFLAGS="-mmacosx-version-min=10.15 -fstack-protector-strong -L/usr/local/opt/openssl@1.1"
EOF
)
cpanm Net::SSLeay --configure-args "$CONFIG_ARGS" --interactive --verbose

My installed openssl@1.1 version was 1.1.1d. Running the above mostly worked - some compiler warnings, plus one failed test t/external/15_altnames.t. Building against openssl 1.0.2d did not have these issues. Investigating the 15_altnames.t failure more closely showed that www.google.com would fail the test for getting subject alternate names, but not www.microsoft.com or www.kernel.org. So the test failure is probably not a big issue - add the --force option to cpanm to make it install with openssl@1.1 if that issue doesn't bother you.

Original writeup from Nov. 2015

Start with openssl from homebrew:

brew install openssl

And you get the message after installation:

This formula is keg-only, which means it was not symlinked into /usr/local.

Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries

Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:

    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include

There isn't much to do about the Apple deprecation of OpenSSL, I think we're stuck building Net::SSLeay against OpenSSL.

Most of the options and flags are from the generated Makefile, but passing extra options seems to clobber what perl Makefile.PL wants to put into the Makefile, so these are copied, and the extra -L/-I options pointing to the homebrew openssl are added.

Added --interactive so you can enable the on-line testing of the built Net::SSLeay.

Added --verbose because verbosity.

CONFIG_ARGS=$( cat <<_EOF_ | tr '\n' ' '
INC=-I/usr/local/opt/openssl/include
LDDLFLAGS="-bundle -undefined dynamic_lookup -fstack-protector-strong -L/usr/local/opt/openssl/lib"
LD="env MACOSX_DEPLOYMENT_TARGET=10.11 cc"
LDFLAGS="-fstack-protector-strong -L/usr/local/opt/openssl/lib"
_EOF_
)
cpanm Net::SSLeay --configure-args "$CONFIG_ARGS" --interactive --verbose

Excellent, this is exactly the problem I was seeing, and the solution works perfectly.

This worked for me as well.

Thanks for this excellent guide!
On Mac OS X 10.9 i had to remove the option -fstack-protector-strong as it's not supported in that platform's gcc version.

Thanks. Work for me.

Thank you. This worked perfectly for me with perlbrew on Sierra.

Works well for me. Allowed me to test email injection with swaks, TLSv1.2, and relevant ciphers, whereas I was limited to TLSv1 before.
OSX El Capitan 10.11.6

may the gods bless you 10 thousand consecutive times.

Can anyone help me with where to put the extra options into the Makefile? I don't have much knowledge with this stuff and I need to install Net::SSLeay as it is a dependency for a particular perl module.

The above doesn't work on os Catalina using perlbrew
The error:
Running Mkbootstrap for SSLeay ()
chmod 644 "SSLeay.bs"
"/Users/gideonbar/perl5/perlbrew/perls/perl-5.30.1/bin/perl" -MExtUtils::Command::MM -e 'cp_nonempty' -- SSLeay.bs blib/arch/auto/Net/SSLeay/SSLeay.bs 644
"/Users/gideonbar/perl5/perlbrew/perls/perl-5.30.1/bin/perl" "/Users/gideonbar/perl5/perlbrew/perls/perl-5.30.1/lib/5.30.1/ExtUtils/xsubpp" -typemap '/Users/gideonbar/perl5/perlbrew/perls/perl-5.30.1/lib/5.30.1/ExtUtils/typemap' -typemap '/Users/gideonbar/.cpanm/work/1583248209.93673/Net-SSLeay-1.88/typemap' SSLeay.xs > SSLeay.xsc
mv SSLeay.xsc SSLeay.c
cc -c -I/usr/local/opt/openssl/include -fno-common -DPERL_DARWIN -mmacosx-version-min=10.15 -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -DPERL_USE_SAFE_PUTENV -O3 -DVERSION="1.88" -DXS_VERSION="1.88" "-I/Users/gideonbar/perl5/perlbrew/perls/perl-5.30.1/lib/5.30.1/darwin-2level/CORE" SSLeay.c
SSLeay.xs:163:10: fatal error: 'openssl/err.h' file not found
#include <openssl/err.h>

@hamshif I've updated the gist with instructions for Catalina - it sounds like you are missing openssl which is required for building Net::SSLeay.

this worked on macos catalina
OPENSSL_PREFIX=/usr/local/opt/openssl@1.1 cpanm --interactive --verbose --force Net::SSLeay

somehow I “fixed” that by deleting ~/.cpan, ~/.cpanm, ~/perl5 and reinstalling system cpanm as a local cpanm

thanks for
OPENSSL_PREFIX=/usr/local/opt/openssl@1.1 cpanm --interactive --verbose Net::SSLeay

Nice one!

If you installed openssl with brew without powers to install system-wide, you have to find your brew Cellar to link to instead, e.g.

$HOME/homebrew/Cellar/openssl\@1.1/1.1.1i/

Then you can modify the CONFIG_ARGS shown above. Obviously the Perl library relies on you not upgrading your openssl out from under it!

I had to use this in Monterey following what @nerdstrike suggested:
/opt/homebrew/Cellar/openssl@1.1/1.1.1l_1/

as discussed there you want to add these symlinks once having installed openssl from brew

sudo ln -s /opt/homebrew/opt/openssl@1.1/lib/libssl.1.1.dylib /usr/local/lib/libssl.dylib
sudo ln -s /opt/homebrew/opt/openssl@1.1/lib/libcrypto.1.1.dylib /usr/local/lib/libcrypto.dylib
OPENSSL_PREFIX=/opt/homebrew/opt/openssl@1.1 cpanm Net::SSLeay