the usual
inconsistent at best
OpenSSL, OS X "El Capitan" and Brew

Apple removed the OpenSSL header files in “El Capitan”, making it hard to build OpenSSL-dependent libraries without modifying your system a little bit.

Fortunately we have Homebrew; if you don’t have it yet, go ahead and install it now. I’ll wait here.

Ready? Now, repeat after me:

$ brew doctor (now fix anything that it tells you to fix)
$ brew update
$ brew upgrade

We’re just warming up with all that; it’s good to stay current with things like OpenSSL, which tends to go stale fast. Now let’s install it:

$ brew install openssl

And now we’ll link it into our public area so you don’t have to figure out the magic environment variable to set while building your favorite OpenSSL-backed library:

$ cd /usr/local/include
$ ln -s ../opt/openssl/include/openssl .

If you use the openssl utility, prepend /usr/local/opt/openssl/bin to your $PATH environment variable.

All done! Now you have an OpenSSL installed that you can build against easily and will stay up to date as often as you run brew update and brew upgrade.

Update: 13 June 2017

I have found in some cases that the library path must also be amended. I haven’t figured this one out yet in the general case, but this always works, even though it’s a mess:

$ cd /usr/local/lib
$ $ for i in ../opt/openssl/lib/lib*; do ln -vs $i .; done
./libcrypto.1.0.0.dylib -> ../opt/openssl/lib/libcrypto.1.0.0.dylib
./libcrypto.a -> ../opt/openssl/lib/libcrypto.a
./libcrypto.dylib -> ../opt/openssl/lib/libcrypto.dylib
./libssl.1.0.0.dylib -> ../opt/openssl/lib/libssl.1.0.0.dylib
./libssl.a -> ../opt/openssl/lib/libssl.a
./libssl.dylib -> ../opt/openssl/lib/libssl.dylib

This creates links to libcrypto and libssl so that linker instructions (-lssl and -lcrypto) can find these libraries without having to add a -L/usr/local/opt/openssl/include, which for recursive builds is language and package dependent. Your input is welcome!

Update: 26 August 2017

An alert reader points out that brew advises against creating links:

$ brew link openssl --force
Warning: Refusing to link: openssl Linking keg-only openssl means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib"

This is good advice. Unfortunately not all software allows you to pass in these options.

I recognize this is the canonical way (along with a variety of environment variables—I’ve been building C libraries since the 90s) but for the cases where this is not possible, I wrote this tutorial.

Last modified on 2015-12-08