Remove OpenSSL dependency for >= 3.0.5

[ronaldtse]

easy-rsa >= 3.0.5 now supports LibreSSL, so the OpenSSL dependency is no longer necessary.

@jjr840430 could you help here? Thanks!

[jjr840430]

@ronaldtse sure, I will try to check.

[sovcharenko]

Please have a look at #16

[ChrisBaker97]

So #16 seems to have addressed this, but I wanted to open a discussion.

According to the Homebrew Formula Cookbook,

We generally try not to duplicate system libraries and complicated tools in core Homebrew but we do duplicate some commonly used tools.

Special exceptions are OpenSSL and LibreSSL. Things that use either should be built using Homebrew’s shipped equivalent and our Brew Test Bot’s post-install audit will warn if it detects you haven’t done this.

If I'm reading that correctly, they're saying that Homebrew's keg-only installs of OpenSSL and LibreSSL should be used over system versions. So either one or the other should still be listed as a requirement. I would guess that Homebrew would prefer the package to use one or the other, since they've moved away from options. If indeed LibreSSL is ~18 times slower than OpenSSL (as indicated in the PR), it sounds like OpenSSL would be the obvious choice for the formula. (Also, I don't have LibreSSL as part of my stock macOS 10.14 install, so I think one of these still needs to be listed as a dependency.)

On a related note, are you guys at all interested in having this merged into Homebrew/homebrew-core? Looks like someone tried a couple of years ago, but got a bit bogged down in the minutiae. I think it's a really good package to get in there, and would be happy to organize it to the point where they'll merge it.

[ChrisBaker97]

Although... The git formula has a stanza:

if MacOS.version < :yosemite
   depends_on "openssl"
   depends_on "curl"
 end

which might lead one to conclude that system OpenSSL is okay with Homebrew now? Which I guess means that the current easy-rsa formula is okay as written, not because LibreSSL is allowed (since it's not present in macOS by default), but rather because the system OpenSSL is sufficient?

[sovcharenko]

but rather because the system OpenSSL is sufficient

Yes that was my thinking behind it as well as my history with openssl - i had to fight a few issues with openssl. As far as I remember those issues were related to different formulas using different versions of openssl) so I thought it might be a good idea to replace openssl with libressl as easy-rsa announced full support of it.

[sovcharenko]

I think there is some confusion. LibreSSL is integrated into Mac OS. Apple has substituted openssl with libressl some time ago. libressl is considered to be more stable and secure compared to openssl

[ChrisBaker97]

LibreSSL is integrated into Mac OS

Hah, you are correct. The extent of my investigation was type libressl, but I see now that openssl version yields LibreSSL 2.6.5, in Mojave at least. I am seeing indications online that this may only be for Mojave and later, though, so perhaps we still need a conditional block requiring OpenSSL for High Sierra and earlier? (Although I am finding other references that it may be in 10.13.5 or earlier...)

Also, what are your thoughts on having OpenSSL in there for Mojave and later as either an :optional (requires --with-openssl to install) or :recommended (requires --without-openssl to avoid installing) dependency, since you did seem to discover that it's a lot faster than LibreSSL?