[Privoxy-devel] Compile errors with --with-wolfssl

Sun Jun 21 09:42:21 CEST 2026

"Ian Silvester" <iansilvester at fastmail.fm> wrote on 2026-06-20 at 17:21:28:

> On Thu, 18 Jun 2026, at 02:59, Fabian Keil via Privoxy-devel wrote:
> > Ian Silvester via Privoxy-devel <privoxy-devel at lists.privoxy.org> wrote 
> > on 2026-06-17 at 17:05:26:
> >
> >> I am dissatisfied with the pre-requisites for building OpenSSL from
> >> source so I thought I'd try one of our alternative SSL libraries;
> >> I picked WolfSSL for no reason other than I remembered the name before mbedTLS ;)
> >> 
> >> I noticed this warning at the end of running WolfSSL's ./configure:
> >> 
> >> Note: Make sure your application includes "wolfssl/options.h" before any other wolfSSL headers.
> >>       You can define "WOLFSSL_USE_OPTIONS_H" in your application to include this automatically.
> >> 
> >> I didn't find this #define anywhere in our code.
> >>
> >> Our ./configure ran cleanly, but make threw the errors below. Might the
> >> cause be as simple as the lack of the #define above?
> >
> > I don't think so.
> >
> > We already include wolfssl/options.h "before any other wolfSSL headers"
> > so there should be no need to additionally define WOLFSSL_USE_OPTIONS_H.
> >
> >> gcc -std=gnu23 -c -pipe -O2 -mdynamic-no-pic -mcpu=apple-m1  -I/usr/local/include/ -I/usr/local/include/wolfssl -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk -arch arm64 -mmacosx-version-min=11.0 -DNDEBUG   -Dunix -Wall  wolfssl.c -o wolfssl.o
> >> wolfssl.c:59:53: error: unknown type name 'X509'
> >>    59 | static int ssl_store_cert(struct client_state *csp, X509 *crt);
> >>       |                                                     ^
> >> wolfssl.c:78:2: warning: wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS [-W#warnings]
> >>    78 | #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS
> >>       |  ^
> >
> > Probably this warning should be turned into an error as Privoxy will not
> > compile without WOLFSSL_ALT_CERT_CHAINS being available.
> >
> >> wolfssl.c:251:12: error: use of undeclared identifier 'EVP_PKEY_RSA'
> >>   251 |       case EVP_PKEY_RSA:
> >>       |            ^~~~~~~~~~~~
> >
> > Looks like your wolfSSL build is also missing some OpenSSl compatibility code.
> >
> > Unfortunately the required wolfSSL configure options and CFLAGS
> > to build Privoxy currently aren't documented.
> >
> > On ElectroBSD I use a modified version of the FreeBSD port
> > security/wolfssl which uses:
> >
> > CONFIGURE_ARGS=	--disable-dependency-tracking \
> > 		--enable-certgen \
> > 		--enable-context-extra-user-data \
> > 		--enable-des3 \
> > 		--enable-dh \
> > 		--enable-dsa \
> > 		--enable-dtls \
> > 		--enable-ecc \
> > 		--enable-haproxy \
> > 		--enable-fastmath \
> > 		--enable-fasthugemath \
> > 		--enable-ipv6 \
> > 		--enable-keygen \
> > 		--enable-opensslall \
> > 		--enable-opensslextra \
> > 		--enable-quic \
> > 		--enable-ripemd \
> > 		--enable-sessioncerts \
> > 		--enable-session-ticket \
> > 		--enable-sp \
> > 		--enable-sp-asm \
> > 		--enable-sp-math-all \
> > 		--enable-sha512 \
> > 		--enable-shared \
> > 		--enable-sni \
> > 		--enable-ssh \
> > 		--enable-static \
> > 		--enable-tls13 \
> > 		--enable-tls13-draft18 \
> > 		--enable-tlsx \
> > 		--enable-keying-material
> >
> > CFLAGS+=	-DWOLFSSL_ALT_NAMES -DWOLFSSL_GETRANDOM=1 \
> > 		-DWOLFSSL_TLS13_MIDDLEBOX_COMPAT \
> > 		-DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB \
> > 		-DWOLFSSL_ALT_CERT_CHAINS -DWOLFSSL_NO_ASN_STRICT
> >
> > Not all of those settings are strictly required but the combination works
> > for me and is probably a good start to get things going on macOS as well.

> Thanks Fabian!
> 
> I stripped out des3, dh and dsa, given how weak they now are, installed it,
> and privoxy compiled right away! Just got to confirm that HTTPS inspection
> actually works and I'll be able to distribute the install for Apple Silicon :)

I just checked with [0] and had to remove --enable-haproxy to
get a "Probably Okay" rating. The other flags don't seem to negatively
affect the results.

Note that enabling DES3 does not automatically enable DES3-based
TLS cipher suites which have their own flag.

Completely disabling DES3 will prevent Privoxy from reading
PBES2-3DES-CBC-encoded keys so users will have to use AES-encoded keys
which isn't covered by our documentation yet. It will have to be covered
by the time of the 4.3.0 release, though, as MbedTLS 4.x doesn't support
DES3 either.

Fabian

[0]: <https://www.howsmyssl.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20260621/df52253a/attachment.bin>