Apple - How "official" is libressl support in High Sierra?

MacOS provided openssl-0.9.8 (when the world was using 1.0.2, and contemplating 1.1 and 1.1.1) until High Sierra release. Now in MacOS 10.13.5 it's libressl-2.2.7, while the current libressl is 2.7.4.

It looks like MacOS-provided LibreSSL does not come with any engines, and it is unclear whether it's possible to even add an engine to it. That means - no openssl using keys on hardware tokens accessible via PKCS#11, no hardware RNG accessible via PKCS#11 or RDRAND, etc. UPDATE: It also doesn't seem to have the include files required to compile your applications. So it seems that you cannot build your software against MacOS LibreSSL even if you wanted to (well, you might be able to by downloading LibreSSL-2.2.7 yourself, etc. - but I'm very sure it isn't worth the hassle).

Since I don't want to write code that runs only on Mac, I can't afford to get stuck with Apple Secure Transport or such.

Therefore my personal recommendation would be to install and work with a "real" openssl, installing it via Macports (as I did for the "production" stuff on my systems) or Brew. In that case, the package maintainers would track the updates and security fixes for you, but you maintain compatibility with your Linux code with minimal efforts.

To answer the question asked:

How “official” is libreSSL support in High Sierra?

There is no official support. Apple makes available all Open Source code that it uses in macOS/OS X. From the latest version of High Sierra (10.13.3) all the way back to Lion 10.7.0, there is no mention of libreSSL.

This is not to say that it will not work if you choose to install the libraries. It's that they don't officially use the code in macOS. If you do get it working and something breaks when you upgrade macOS, it will be up you to fix it.

Apple has deprecated^* OpenSSL and instead is utilizing Common Crypto, something Apple develops.

---

^*Deprecated as in no longer developed but not removed. OpenSSL is still included for backward compatibility, but developers are notified that there is no further development and should begin to move to the newer technology.

The only officially supported TLS library on macOS is Apple Secure Transport:

Secure Transport

Secure network communication using standardized transport layer security mechanisms.

The Security.SecureTransport API gives you access to Apple's implementation of Secure Sockets Layer version 3.0 (SSLv3), Transport Layer Security (TLS) versions 1.0 through 1.2, and Datagram Transport Layer Security (DTLS) version 1.0.

This means that LibreSSL is NOT supported by Apple for use as a TLS library in your application.

This means that as a responsible developer, you should either:

a) Use Apple Secure Transport

b) Statically link with a library, such as LibreSSL, you support yourself

or

c) Dynamically link with a a library, such as LibreSSL, that you clearly indicate to the user that he needs to support himself through for example HomeBrew