The version of OpenSSL that comes with 10.3 has a known security flaw. This is not a problem if you don't run servers but if, like me, you have ssl or ssh connections to Apache, Postfix or others, it is wise to upgrade. Unfortunately, upgrading OpenSSL is a bit of a minefield - one that can prevent your machine from booting (as I descovered ...). Luckily, the solution is quite simple.
The problem lays with how Apple compiled the OpenSSL libs for 10.3. As a dynamic library, OpenSSL has a library version and a compatibility version. The first states what the actual version of the library is, the second states the oldest library version it is compatible with. Normal OpenSSL library compiles seem to specify a compatibility with version 0.9.0 upwards. Apple's libraries specify compatibility with version 0.9.7 upwards. As a result, if you try to do a stock install of the latest OpenSSL library, the dynamic linker complains that the compatibility version of your new library is too old. This causes NetInfo not to load on boot and the entire system grinds to a halt. Thank God for Firewire Target Disk mode!
The fix is to cause the compiler to build OpenSSL libs with a high enough compatibility version when you install the new sources. You also want to overwrite the old libs with the new ones (rather thn keeping both sets around) because otherwise you run into many many other problems.
First, you need to do the standard ./config but changing the default install path to the one Apple uses and enabling shared library support:
./config shared --prefix=/usr/
Next, edit the resulting Makefile in the base OpenSSL source directory to generate a lib with the higher compatibility_version number. Open the Makefile up in your fav. editor (NOT one that re-wraps lines though, such as pico) and look for the line:
# For Darwin AKA Mac OS/X (dyld)
A few lines below this, find the line starting:
-compatibility_version ${SHLIB_MAJOR} ...
and change the line to the same as the 'current_version' parameter on the line above:
-compatibility_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
Or, if you want, just type in the value by hand. Having done this, save the changes and follow the normal make/install process.
You might want to make a backup copy of /usr/lib/libcrypto.0.9.7.dylib and /usr/lib/libssl.0.9.7.dylib before you install, so you can put them back if things go bad!
A second mac and a FireWire cable are very handy in these situations. If the upgraded mac won't boot, reboot it by holding down the power button until it turns off, then turn it back on again, holding down the 't' key on the keyboard. This will place the mac in Open Firmware's 'Target Disk Mode'. Now plug the firewire cable between the mac and a second mac and the first mac's hd should mount on the second mac. Now you can go in on the command line (the root of the disk being /Volumes/[computer name]/) and fix things.
If you want to see what is happening while the mac is booting, boot while holding down Command and 'v'. This will give you the Linux style stream of startup info rather than the pretty white/grey screen.