[I] Build fails with OpenSSL 3.6 when older OpenSSL headers exist in system paths [trafficserver]

Tue, 13 Jan 2026 13:32:56 -0800 


bryancall opened a new issue, #12807:
URL: https://github.com/apache/trafficserver/issues/12807

   ## Problem
   
   The build fails when compiling `SSLStats.cc` with OpenSSL 3.6:
   
   ```
   src/iocore/net/SSLStats.cc:326:9: error: use of undeclared identifier 
'SSL_CTX_get0_implemented_groups'
     326 |     if (SSL_CTX_get0_implemented_groups(ctx, ALL_GROUPS, 
group_names) != 1) {
         |         ^
   ```
   
   ## Root Cause
   
   The cmake configuration uses `-isystem` for the OpenSSL include path. When 
an older OpenSSL installation exists in `/usr/local/include/openssl/` (e.g., 
OpenSSL 3.4), the compiler finds those headers first since `/usr/local/include` 
is in the default system include paths.
   
   The `SSL_CTX_get0_implemented_groups` macro was added in OpenSSL 3.6, so it 
doesn't exist in older versions.
   
   The cmake `check_symbol_exists()` test passes because it uses `-I` (not 
`-isystem`), which gives the specified path higher priority. This causes a 
mismatch where cmake thinks the function is available but the actual build 
fails.
   
   ## Reproduction
   
   1. Have OpenSSL 3.6 installed via Homebrew (or similar)
   2. Have older OpenSSL headers in `/usr/local/include/openssl/`
   3. Build with `cmake --preset dev-asan && ninja -C build-dev-asan`
   
   ## Potential Solutions
   
   1. **Change cmake to use `-I` instead of `-isystem` for OpenSSL** - This 
would give the specified OpenSSL path higher priority
   2. **Add a cmake check that actually compiles code using the function** - 
Rather than just checking if the symbol exists
   3. **Document the issue** - Users with multiple OpenSSL installations need 
to ensure the correct one is used
   
   ## Workaround
   
   Remove or rename the old OpenSSL headers:
   ```bash
   sudo mv /usr/local/include/openssl /usr/local/include/openssl-backup
   ```
   
   ## Environment
   
   - macOS (Darwin arm64)
   - OpenSSL 3.6.0 via Homebrew
   - Older OpenSSL 3.4.0 in /usr/local/include
   - ATS master branch


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to