[Privoxy-devel] Compile errors with --with-wolfssl

Thu Jun 18 08:59:36 CEST 2026

Ian Silvester via Privoxy-devel <privoxy-devel at lists.privoxy.org> wrote on 2026-06-17 at 17:05:26:

> I am dissatisfied with the pre-requisites for building OpenSSL from
> source so I thought I'd try one of our alternative SSL libraries;
> I picked WolfSSL for no reason other than I remembered the name before mbedTLS ;)
> 
> I noticed this warning at the end of running WolfSSL's ./configure:
> 
> Note: Make sure your application includes "wolfssl/options.h" before any other wolfSSL headers.
>       You can define "WOLFSSL_USE_OPTIONS_H" in your application to include this automatically.
> 
> I didn't find this #define anywhere in our code.
>
> Our ./configure ran cleanly, but make threw the errors below. Might the
> cause be as simple as the lack of the #define above?

I don't think so.

We already include wolfssl/options.h "before any other wolfSSL headers"
so there should be no need to additionally define WOLFSSL_USE_OPTIONS_H.

> gcc -std=gnu23 -c -pipe -O2 -mdynamic-no-pic -mcpu=apple-m1  -I/usr/local/include/ -I/usr/local/include/wolfssl -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk -arch arm64 -mmacosx-version-min=11.0 -DNDEBUG   -Dunix -Wall  wolfssl.c -o wolfssl.o
> wolfssl.c:59:53: error: unknown type name 'X509'
>    59 | static int ssl_store_cert(struct client_state *csp, X509 *crt);
>       |                                                     ^
> wolfssl.c:78:2: warning: wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS [-W#warnings]
>    78 | #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS
>       |  ^

Probably this warning should be turned into an error as Privoxy will not
compile without WOLFSSL_ALT_CERT_CHAINS being available.

> wolfssl.c:251:12: error: use of undeclared identifier 'EVP_PKEY_RSA'
>   251 |       case EVP_PKEY_RSA:
>       |            ^~~~~~~~~~~~

Looks like your wolfSSL build is also missing some OpenSSl compatibility code.

Unfortunately the required wolfSSL configure options and CFLAGS
to build Privoxy currently aren't documented.

On ElectroBSD I use a modified version of the FreeBSD port
security/wolfssl which uses:

CONFIGURE_ARGS=	--disable-dependency-tracking \
		--enable-certgen \
		--enable-context-extra-user-data \
		--enable-des3 \
		--enable-dh \
		--enable-dsa \
		--enable-dtls \
		--enable-ecc \
		--enable-haproxy \
		--enable-fastmath \
		--enable-fasthugemath \
		--enable-ipv6 \
		--enable-keygen \
		--enable-opensslall \
		--enable-opensslextra \
		--enable-quic \
		--enable-ripemd \
		--enable-sessioncerts \
		--enable-session-ticket \
		--enable-sp \
		--enable-sp-asm \
		--enable-sp-math-all \
		--enable-sha512 \
		--enable-shared \
		--enable-sni \
		--enable-ssh \
		--enable-static \
		--enable-tls13 \
		--enable-tls13-draft18 \
		--enable-tlsx \
		--enable-keying-material

CFLAGS+=	-DWOLFSSL_ALT_NAMES -DWOLFSSL_GETRANDOM=1 \
		-DWOLFSSL_TLS13_MIDDLEBOX_COMPAT \
		-DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB \
		-DWOLFSSL_ALT_CERT_CHAINS -DWOLFSSL_NO_ASN_STRICT

Not all of those settings are strictly required but the combination works
for me and is probably a good start to get things going on macOS as well.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20260618/e63d362e/attachment.bin>