Andrew Madsen

Follow @armadsen on Micro.blog.

Building OpenSSL for ARM/Apple silicon Macs

I tend to shy away from dependencies when possible. But my app, Aether, has an unavoidable dependency on tqsllib, which in turn depends on OpenSSL. Originally, OpenSSL shipped with macOS, so using it was no big deal. Apple deprecated it years ago (for very good reasons) and recommends building it yourself from up-to-date source if you need it. So, I do just that.

Normally, building OpenSSL is pretty straightforward. Download the source, run:

./configure darwin64-x86_64-cc
make
make install

and you’re done.

As of right now (June 22, 2020), if you want to build it for Apple’s newly announced Macs with "Apple silicon” (aka ARM), it doesn’t work out of the box. I managed to get it to build and thought I’d share what I did. I did this on an Intel Mac running the Xcode 12.0 for macOS Universal Apps beta, but I believe these instructions should work without changes on an ARM Mac as well.  Disclaimer: This is a bit of a hack job. I expect that the OpenSSL project will add official support fairly quickly so this stuff won’t be necessary. I may try to submit a patch, but I’m not confident enough of the details here to say that it’s the best way to do things or without any lurking issues. So, as always, use this at your own risk! I’m not an SSL expert, a security expert, nor a build system expert.

Here’s how I built OpenSSL for ARM Macs:

1. Install "Xcode 12 for macOS Universal Apps beta"

2. Switch to using the beta for command line tools using:

sudo xcode-select -s /Applications/Xcode-beta.app

3. Download the OpenSSL source code:

git clone git://git.openssl.org/openssl.git

4. Switch to the openssl directory:

cd openssl

Optional 4b. I need OpenSSL 1.1.1, so I switched to that branch:

git switch OpenSSL_1_1_1-stable

5. Open the file Configurations/10-main.conf in your favorite text editor:

bbedit Configurations/10-main.conf

6. OpenSSL uses its own configuration system, and it uses this to configure certain things when building for a particular target. Most importantly, we need to specify the correct architecture (arm64) for Apple silicon/ARM Macs. To do this, find the section where the configuration for darwin64-x86_64-cc is defined. It’s line 1552 as I write this. Add the following new configuration for ARM Macs under it:

"darwin64-arm64-cc" => {
inherit_from => [ "darwin-common", asm("aarch64_asm") ],
CFLAGS => add("-Wall"),
cflags => add("-arch arm64"),
lib_cppflags => add("-DL_ENDIAN"),
bn_ops => "SIXTY_FOUR_BIT_LONG",
perlasm_scheme => "macosx",
},

7. Build for ARM by running the configure script, followed by make and make install. This will build for arm64, and place the results in /tmp/openssl-arm

./Configure darwin64-arm64-cc --prefix="/tmp/openssl-arm" no-asm
make
make install

The no-asm option tells the build system to avoid using assembly language routines, instead falling back to C routines. This prevents errors during build on ARM. The same option is not necessary for the x86 build. I’m sure there’s a way to fix building the ASM routines for arm64 (they build fine for iOS), but it’s beyond me right now.

8. Build for x86_64 by running the build steps again again like so:

./Configure darwin64-x86_64-cc --prefix="/tmp/openssl-x86"
make
make install

9. Lipo the results together to create a single, universal static library:

lipo /tmp/openssl-arm/lib/libssl.a /tmp/openssl-x86/lib/libssl.a -create -output libopenssl/lib/libssl.a
lipo /tmp/openssl-arm/lib/libcrypto.a /tmp/openssl-x86/lib/libcrypto.a -create -output libopenssl/lib/libcrypto.a

10. You’ll also need the headers. I just copy them like so:

cp /tmp/openssl-arm/include/openssl/* include/openssl/

11. If everything worked, you’ll now have static library binaries for libcrypto and libssl in lib/, along with headers in include/openssl/