For Mac: use homebrew's openssl

drwetter · drwetter · commit 1f9aa8008dc4 · 2025-07-10T13:19:46.000+02:00
... so that we have a comparison between OpenSSL and LibreSSL. Otherwise this test would be completely futile for MacOS. Also change the displayed text. See #2832 (which was for 3.2)
diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t
@@ -20,6 +20,8 @@ my $uri="google.com";
 my $diff="";
 my $distro_openssl="/usr/bin/openssl";
 my @args="";
+# that can be done better but I am a perl n00b ;-)
+my $os=`perl -e 'print "$^O";'`;
 
 die "Unable to open $prg" unless -f $prg;
 die "Unable to open $distro_openssl" unless -f $distro_openssl;
@@ -29,13 +31,35 @@ unlink $csvfile;
 unlink $csvfile2;
 
 #1 run
-printf "\n%s\n", "Diff test IPv4 with supplied openssl against \"$uri\"";
-@args="$prg $check2run $csvfile $uri >/dev/null";
+if ( $os eq "linux" ){
+     # Comparison ~/bin/openssl.Linux.x86_64
+     printf "\n%s\n", "Test with supplied openssl against \"$uri\" and save it";
+     @args="$prg $check2run $csvfile $uri >/dev/null";
+} elsif ( $os eq "darwin" ){
+     # MacOS silicon doesn't have ~/bin/openssl.Darwin.arm64 binary so we use the
+     # homebrew version which was moved to /opt/homebrew/bin/openssl.NOPE in
+     # .github/workflows/unit_tests_macos.yml . This gives us instead a comparison
+     # check from OpenSSL
+     # If this will be run outside GH actions, i.e. locally, we provide a fallback to
+     # /opt/homebrew/bin/openssl or just leave this thing
+     if ( -x "/opt/homebrew/bin/openssl.NOPE" ) {
+          printf "\n%s\n", "Test with homebrew's openssl 3.5.x against \"$uri\" and save it";
+          @args="$prg $check2run $csvfile --openssl /opt/homebrew/bin/openssl.NOPE $uri >/dev/null";
+     }
+     elsif ( -x "/opt/homebrew/bin/openssl" ) {
+          printf "\n%s\n", "Test with homebrew's openssl 3.5.x against \"$uri\" and save it";
+          @args="$prg $check2run $csvfile --openssl /opt/homebrew/bin/openssl $uri >/dev/null";
+     }
+     else {
+          die ("No alternative version to LibreSSL found");
+     }
+}
 system("@args") == 0
      or die ("FAILED: \"@args\"");
 
-# 2
-printf "\n%s\n", "Diff test IPv4 with $distro_openssl against \"$uri\"";
+
+# 2 (LibreSSL in case of MacOS, /usr/bin/openssl for Linux)
+printf "\n%s\n", "Test with $distro_openssl against \"$uri\" and save it";
 @args="$prg $check2run $csvfile2 --openssl=$distro_openssl $uri >/dev/null";
 system("@args") == 0
      or die ("FAILED: \"@args\" ");
@@ -67,6 +91,21 @@ $cat_csvfile2 =~ s/.nonce-.* //g;
 $cat_csvfile  =~ s/","google.com\/.*","443/","google.com","443/g;
 $cat_csvfile2 =~ s/","google.com\/.*","443/","google.com","443/g;
 
+
+if ( $os eq "darwin" ){
+     # Now address the differences for LibreSSL, see t/61_diff_testsslsh.t
+     #
+     # MacOS / LibreSSL has different OpenSSL names for TLS 1.3 ciphers. That should be rather solved in
+     # testssl.sh, see #2763. But for now we do this here.
+     $cat_csvfile2  =~ s/AEAD-AES128-GCM-SHA256/TLS_AES_128_GCM_SHA256/g;
+     $cat_csvfile2  =~ s/AEAD-AES256-GCM-SHA384/TLS_AES_256_GCM_SHA384/g;
+     # this is a bit ugly but otherwise the line cipher-tls1_3_x1303 with the CHACHA20 cipher misses a space
+     $cat_csvfile2  =~ s/x1303   AEAD-CHACHA20-POLY1305-SHA256/x1303   TLS_CHACHA20_POLY1305_SHA256 /g;
+     # now the other lines, where we don't need to insert the additional space:
+     $cat_csvfile2  =~ s/AEAD-CHACHA20-POLY1305-SHA256/TLS_CHACHA20_POLY1305_SHA256/g;
+     # we changed above the ECDH bit length already
+}
+
 $diff = diff \$cat_csvfile, \$cat_csvfile2;
 
 # Compare the differences -- and print them if there were any
