[Privoxy-devel] Compile errors with --with-wolfssl

Ian Silvester iansilvester at fastmail.fm
Mon Jun 22 04:02:06 CEST 2026 

On Sun, 21 Jun 2026, at 03:42, Fabian Keil via Privoxy-devel wrote:
> "Ian Silvester" <iansilvester at fastmail.fm> wrote on 2026-06-20 at 17:21:28:
>
>> On Thu, 18 Jun 2026, at 02:59, Fabian Keil via Privoxy-devel wrote:
>> > Ian Silvester via Privoxy-devel <privoxy-devel at lists.privoxy.org> wrote 
>> > on 2026-06-17 at 17:05:26:
>> >
>> >> I am dissatisfied with the pre-requisites for building OpenSSL from
>> >> source so I thought I'd try one of our alternative SSL libraries;
>> >> I picked WolfSSL for no reason other than I remembered the name before mbedTLS ;)
>> >> 
>> >> I noticed this warning at the end of running WolfSSL's ./configure:
>> >> 
>> >> Note: Make sure your application includes "wolfssl/options.h" before any other wolfSSL headers.
>> >>       You can define "WOLFSSL_USE_OPTIONS_H" in your application to include this automatically.
>> >> 
>> >> I didn't find this #define anywhere in our code.
>> >>
>> >> Our ./configure ran cleanly, but make threw the errors below. Might the
>> >> cause be as simple as the lack of the #define above?
>> >
>> > I don't think so.
>> >
>> > We already include wolfssl/options.h "before any other wolfSSL headers"
>> > so there should be no need to additionally define WOLFSSL_USE_OPTIONS_H.
>> >
>> >> gcc -std=gnu23 -c -pipe -O2 -mdynamic-no-pic -mcpu=apple-m1  -I/usr/local/include/ -I/usr/local/include/wolfssl -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk -arch arm64 -mmacosx-version-min=11.0 -DNDEBUG   -Dunix -Wall  wolfssl.c -o wolfssl.o
>> >> wolfssl.c:59:53: error: unknown type name 'X509'
>> >>    59 | static int ssl_store_cert(struct client_state *csp, X509 *crt);
>> >>       |                                                     ^
>> >> wolfssl.c:78:2: warning: wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS [-W#warnings]
>> >>    78 | #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS
>> >>       |  ^
>> >
>> > Probably this warning should be turned into an error as Privoxy will not
>> > compile without WOLFSSL_ALT_CERT_CHAINS being available.
>> >
>> >> wolfssl.c:251:12: error: use of undeclared identifier 'EVP_PKEY_RSA'
>> >>   251 |       case EVP_PKEY_RSA:
>> >>       |            ^~~~~~~~~~~~
>> >
>> > Looks like your wolfSSL build is also missing some OpenSSl compatibility code.
>> >
>> > Unfortunately the required wolfSSL configure options and CFLAGS
>> > to build Privoxy currently aren't documented.
>> >
>> > On ElectroBSD I use a modified version of the FreeBSD port
>> > security/wolfssl which uses:
>> >
>> > CONFIGURE_ARGS=	--disable-dependency-tracking \
>> > 		--enable-certgen \
>> > 		--enable-context-extra-user-data \
>> > 		--enable-des3 \
>> > 		--enable-dh \
>> > 		--enable-dsa \
>> > 		--enable-dtls \
>> > 		--enable-ecc \
>> > 		--enable-haproxy \
>> > 		--enable-fastmath \
>> > 		--enable-fasthugemath \
>> > 		--enable-ipv6 \
>> > 		--enable-keygen \
>> > 		--enable-opensslall \
>> > 		--enable-opensslextra \
>> > 		--enable-quic \
>> > 		--enable-ripemd \
>> > 		--enable-sessioncerts \
>> > 		--enable-session-ticket \
>> > 		--enable-sp \
>> > 		--enable-sp-asm \
>> > 		--enable-sp-math-all \
>> > 		--enable-sha512 \
>> > 		--enable-shared \
>> > 		--enable-sni \
>> > 		--enable-ssh \
>> > 		--enable-static \
>> > 		--enable-tls13 \
>> > 		--enable-tls13-draft18 \
>> > 		--enable-tlsx \
>> > 		--enable-keying-material
>> >
>> > CFLAGS+=	-DWOLFSSL_ALT_NAMES -DWOLFSSL_GETRANDOM=1 \
>> > 		-DWOLFSSL_TLS13_MIDDLEBOX_COMPAT \
>> > 		-DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB \
>> > 		-DWOLFSSL_ALT_CERT_CHAINS -DWOLFSSL_NO_ASN_STRICT
>> >
>> > Not all of those settings are strictly required but the combination works
>> > for me and is probably a good start to get things going on macOS as well.
>
>> Thanks Fabian!
>> 
>> I stripped out des3, dh and dsa, given how weak they now are, installed it,
>> and privoxy compiled right away! Just got to confirm that HTTPS inspection
>> actually works and I'll be able to distribute the install for Apple Silicon :)
>
> I just checked with [0] and had to remove --enable-haproxy to
> get a "Probably Okay" rating. The other flags don't seem to negatively
> affect the results.

I found the same, and also found that 'make check' failed one test with --enable-haproxy included. I did however need to add these two to CONFIGURE_OPTS explicitly since --enable-haproxy was causing them to be pulled in 'silently' :

--enable-secure-renegotiation
--enable-altcertchains

> Note that enabling DES3 does not automatically enable DES3-based
> TLS cipher suites which have their own flag.
>
> Completely disabling DES3 will prevent Privoxy from reading
> PBES2-3DES-CBC-encoded keys so users will have to use AES-encoded keys
> which isn't covered by our documentation yet. It will have to be covered
> by the time of the 4.3.0 release, though, as MbedTLS 4.x doesn't support
> DES3 either.

Good to know.

I've a solid, tested installer now - tomorrow I'll upload it to my mirror and Sourceforge.

Ian


>
> Fabian
>
> [0]: <https://www.howsmyssl.com/>
>
> _______________________________________________
> Privoxy-devel mailing list
> Privoxy-devel at lists.privoxy.org
> https://lists.privoxy.org/mailman/listinfo/privoxy-devel

More information about the Privoxy-devel mailing list