[Privoxy-devel] Compile errors with --with-wolfssl
Ian Silvester
iansilvester at fastmail.fm
Sat Jun 20 23:21:28 CEST 2026
On Thu, 18 Jun 2026, at 02:59, Fabian Keil via Privoxy-devel wrote:
> Ian Silvester via Privoxy-devel <privoxy-devel at lists.privoxy.org> wrote
> on 2026-06-17 at 17:05:26:
>
>> I am dissatisfied with the pre-requisites for building OpenSSL from
>> source so I thought I'd try one of our alternative SSL libraries;
>> I picked WolfSSL for no reason other than I remembered the name before mbedTLS ;)
>>
>> I noticed this warning at the end of running WolfSSL's ./configure:
>>
>> Note: Make sure your application includes "wolfssl/options.h" before any other wolfSSL headers.
>> You can define "WOLFSSL_USE_OPTIONS_H" in your application to include this automatically.
>>
>> I didn't find this #define anywhere in our code.
>>
>> Our ./configure ran cleanly, but make threw the errors below. Might the
>> cause be as simple as the lack of the #define above?
>
> I don't think so.
>
> We already include wolfssl/options.h "before any other wolfSSL headers"
> so there should be no need to additionally define WOLFSSL_USE_OPTIONS_H.
>
>> gcc -std=gnu23 -c -pipe -O2 -mdynamic-no-pic -mcpu=apple-m1 -I/usr/local/include/ -I/usr/local/include/wolfssl -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk -arch arm64 -mmacosx-version-min=11.0 -DNDEBUG -Dunix -Wall wolfssl.c -o wolfssl.o
>> wolfssl.c:59:53: error: unknown type name 'X509'
>> 59 | static int ssl_store_cert(struct client_state *csp, X509 *crt);
>> | ^
>> wolfssl.c:78:2: warning: wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS [-W#warnings]
>> 78 | #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS
>> | ^
>
> Probably this warning should be turned into an error as Privoxy will not
> compile without WOLFSSL_ALT_CERT_CHAINS being available.
>
>> wolfssl.c:251:12: error: use of undeclared identifier 'EVP_PKEY_RSA'
>> 251 | case EVP_PKEY_RSA:
>> | ^~~~~~~~~~~~
>
> Looks like your wolfSSL build is also missing some OpenSSl compatibility code.
>
> Unfortunately the required wolfSSL configure options and CFLAGS
> to build Privoxy currently aren't documented.
>
> On ElectroBSD I use a modified version of the FreeBSD port
> security/wolfssl which uses:
>
> CONFIGURE_ARGS= --disable-dependency-tracking \
> --enable-certgen \
> --enable-context-extra-user-data \
> --enable-des3 \
> --enable-dh \
> --enable-dsa \
> --enable-dtls \
> --enable-ecc \
> --enable-haproxy \
> --enable-fastmath \
> --enable-fasthugemath \
> --enable-ipv6 \
> --enable-keygen \
> --enable-opensslall \
> --enable-opensslextra \
> --enable-quic \
> --enable-ripemd \
> --enable-sessioncerts \
> --enable-session-ticket \
> --enable-sp \
> --enable-sp-asm \
> --enable-sp-math-all \
> --enable-sha512 \
> --enable-shared \
> --enable-sni \
> --enable-ssh \
> --enable-static \
> --enable-tls13 \
> --enable-tls13-draft18 \
> --enable-tlsx \
> --enable-keying-material
>
> CFLAGS+= -DWOLFSSL_ALT_NAMES -DWOLFSSL_GETRANDOM=1 \
> -DWOLFSSL_TLS13_MIDDLEBOX_COMPAT \
> -DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB \
> -DWOLFSSL_ALT_CERT_CHAINS -DWOLFSSL_NO_ASN_STRICT
>
> Not all of those settings are strictly required but the combination works
> for me and is probably a good start to get things going on macOS as well.
>
> Fabian
Thanks Fabian!
I stripped out des3, dh and dsa, given how weak they now are, installed it, and privoxy compiled right away! Just got to confirm that HTTPS inspection actually works and I'll be able to distribute the install for Apple Silicon :)
Ian
>
> _______________________________________________
> Privoxy-devel mailing list
> Privoxy-devel at lists.privoxy.org
> https://lists.privoxy.org/mailman/listinfo/privoxy-devel
More information about the Privoxy-devel
mailing list