Chrome disabled H2 over NPN a bit over a month ago, which led to many sites going back to H1.1 because most Linux distribution don't have an ALPN OpenSSL pkg (nginx is very easily static compiled with the latest OpenSSL src btw, no config needed). Secure transport doesn't seem to have ever supported either. It seems Apple has really been slacking in the past few years IMO. I'm sure they'll get around to ALPN eventually.
I'd focus instead on how several more recent vulnerabilities with OpenSSL have not affected LibreSSL, and the code quality being improved with LibreSSL, hopefully resulting in fewer vulnerabilities in the future.
Tools like curl being available is one of the reasons I fell in love with development on Mac. I hope Apple takes note and ships curl (and other coreutils for that matter) in a way that continues to be developer friendly.
Note that all GNU tools on Mac OS are the last GPLv2 versions. Their version of bash, for example, was ten years old the last time I checked. In contrast, most GNU/Linux distributions do provide up-to-date tools out of the box.
In addition, Apple makes it difficult to modify or upgrade installed software, even when is it vulnerable. The default installation of git in OS X once had a remote code execution vulnerability that could not be patched by users: http://rachelbythebay.com/w/2016/04/17/unprotected/
Interesting. It doesn't have a man page, the help output gives no background info and there's very little information online. I'm curious to find out more about this tool.
While installing a new version of curl via homebrew is great, I think that this is just sidestepping a bigger issue.
Take vim for instance. The reason why I know vi is because it's everywhere. I know full well that any unix machine I log into will have it available to me if I need to edit a file. Now imagine that OSX released a new file structure, and the native vi installation couldn't read those files. Yea I could install a newer version of vi, but it means that I can't use any mac to fix something if I really need to. It means there's an inconsistency in the very basic command line functionality that I trust and rely on to be there.
Things like curl, vi, sed, etc are my fallback tools. If my reserve chute doesn't work, problems will arise at some point.
>Take vim for instance. The reason why I know vi is because it's everywhere. I know full well that any unix machine I log into will have it available to me if I need to edit a file. Now imagine that OSX released a new file structure, and the native vi installation couldn't read those files. Yea I could install a newer version of vi, but it means that I can't use any mac to fix something if I really need to.
So? Macs are used as personal machines, not interchangeable accounts on servers.
Many people do use them as interchangeable machines. And even if yours is personal, there is value in a coworker being able to show you e.g. what change to make to a config file.
Another thing Secure Transport can't do is create a SecIdentityRef from an arbitrary cert and key pair, e.g. supplied as cURL command line arguments. This means you can't use client SSL certs with cURL on macOS or iOS unless you add the private key to the keychain, which you might not want to do. Or you can convert your x.509 cert and private key to a PKCS#12 archive because there is a public API for importing that ¯\_(ツ)_/¯. You'll need OpenSSL to do the conversion though, because there isn't an Apple API for it, d'oh!
The decision to drop OpenSSL for Secure Transport IMO was not the best given it's lacking (public) API.
