Configuring Postgres with OpenSSL and '--with-openssl' option

Asked 1/9, 2016 at 23:38 Answered 6/6, 2019 at 17:52

postgresql openssl autoconf

I tried installing Postgres with OpenSSL by doing

./configure --with-openssl

but I got an error saying

configure: error: header file openssl/ssl.h is required for OpenSSL

However, I do have OpenSSL installed. If I run openssl version I get this output

OpenSSL 0.9.8zh 14 Jan 2016

I came across this solution and tried doing

./configure --with-includes=/usr/local/ssl/include and it installed without any problems.

Can someone explain whats going on and the difference between the two configure versions?

Lavadalavage answered 1/9, 2016 at 23:38 Comment(1)

Having openssl installed does not mean the development files are installed. Linux distros split libraries into separate packages for mere usage and development, for instance libssl-dev for openssl on debian-based systems. – Drucie 2/9, 2016 at 15:40

Can someone explain whats going on and the difference between the two configure versions.

You can run ./configure --help to get a synopsis of arguments:

$ ./configure --help | egrep -i '(ssl|includes)'
  --with-includes=DIRS    look for additional header files in DIRS
  --with-openssl          build with OpenSSL support

./configure --with-openssl

This simply enables OpenSSL in Postgres. It enables checking in Autoconf, like probing for symbols CRYPTO_new_ex_data and SSL_Library_init.

It also looks like configure defines #define USE_OPENSSL 1 which activates OpenSSL code paths:

$ grep -IR OPENSSL * | grep '.c'
...
src/backend/postmaster/fork_process.c:#ifdef USE_OPENSSL
src/backend/postmaster/fork_process.c:#ifdef USE_OPENSSL
src/backend/utils/init/postinit.c:#ifdef USE_OPENSSL
src/backend/utils/init/postinit.c:#ifdef USE_OPENSSL
src/include/libpq/libpq-be.h:#ifdef USE_OPENSSL
src/include/libpq/libpq-be.h:#ifdef USE_OPENSSL
...

./configure --with-includes=/usr/local/ssl/include

This probably did not enable OpenSSL. It simply added a path for headers that were not used during compilation. Use lddon Linux and otool -L on OS X to see if there are any OpenSSL dependencies.

You should probably use ./configure --with-openssl --with-includes=/usr/local/ssl/include --with-libraries=/usr/local/ssl/lib. You should probably add CFLAGS="-Wl,-rpath=/usr/local/ssl/lib to ensure proper runtime linking.

Also see Postgres Issue 14308: Postgres 9.5.4 does not configure against OpenSSL 1.1.0

Orelia answered 2/9, 2016 at 6:57 Comment(9)

So I installed OpenSSL by following the instructions in the Install file. However, my /usr/local/ssl directory doesn't contain a lib folder or a include folder. – Lavadalavage 3/9, 2016 at 0:17

@Lavadalavage - If you need help building and installing OpenSSL on a platform, then you should ask another question. Please state the platform (OS X?). I almost provided the recipe for OpenSSL and Postgres, but the question did not lend itself to the recipe because its for Postgres/Autoconf and the platform was missing. – Orelia 3/9, 2016 at 3:0

Sorry for the confusion. When I try your solution with my paths I get the error "configure: error: library 'ssl' is required for OpenSSL". I have to run ./configure --with-openssl --with-includes=/usr/local/include/openssl --with-libraries=/usr/local/lib. For some reason my lib and include aren't contained within /usr/local/ssl instead they're located at /usr/local/lib and /usr/local/include – Lavadalavage 3/9, 2016 at 20:14

I've been overlooking that link you provided at the bottom. It looks like I'm having the same problem. – Lavadalavage 3/9, 2016 at 21:31

@Lavadalavage - Also see How to tell Autoconf “require symbol A or B” from LIB? I don't know Autoconf (I still write my own makefiles) so I don't know how to proceed. Once configuration is complete, the port to OpenSSL 1.1.0 can proceed. That should be relatively pain free as long as Postgres is not being too clever with OpenSSL. – Orelia 4/9, 2016 at 1:8

So you're having the same problem? I thought I was doing something very wrong. I'm thinking of giving up installing postgres myself and using homebrew instead. – Lavadalavage 4/9, 2016 at 1:17

@Lavadalavage - use OpenSSL 1.0.2 until the Postgres folks add the support. There's no material difference between OpenSSL 1.1.0 and 1.0.2 with respect to TLS in Postgres. Plus, Homebrew will most likely supply OpenSSL 1.0.2. – Orelia 4/9, 2016 at 1:20

Let us continue this discussion in chat. – Lavadalavage 4/9, 2016 at 1:21

I was cross compiling on x86 host for aarch64 target, was unable to find ssl libs despite having cross compiled them and specifying header path with --with-includes, adding --with-libraries did the trick, thanks! – Rauscher 20/5, 2021 at 20:45

Install OpenSSL-devel it will give you all dependencies. It's helped me.

In CenotOS/Redhat

sudo yum install openssl-devel

Alternative answered 6/6, 2019 at 17:52 Comment(0)

Recommended topics

Hot tags